XChat....

[Ed Begens]

Isn't Hexchat in the repos the re-spin of Xchat?

On 03/29/2015 01:53 PM, Marc Deslauriers wrote:
> On 2015-03-29 01:02 PM, Nick T. wrote:
>>
>>
>> On 03/29/2015 07:57 PM, Marc Deslauriers wrote:
>>> On 2015-03-29 12:45 PM, Nick T. wrote:
>>>> Hello,
>>>> As some of you should know XChat is unmaintained.
>>> It's still maintained in Debian and Ubuntu.
>>>
>>>> First of all looking at the CVEs at
>>>> http://www.cvedetails.com/vulnerability-list.php?vendor_id=552&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=4&trc=10&sha=9e5eed6234039ebc435bb6dfadc628228ac11b37
>>>>
>>>> I hope that all the fixes have been backported to the current version because
>>>> that would be a different level of messed up.
>>> Yes, the packages in Debian and Ubuntu have either been patched, or the CVE
>>> didn't apply.
>>>
>>>> Secondly XChat appears to be vulnerable to sslv3 attacks.
>>> Both Debian and Ubuntu carry a patch to enable TLSv1.x support.
>>>
>>>> Why is the package still in the repos? Even then, why isnt there a huge
>>>> warning that the package is unmaintained and possibly vulnerable?
>>>>
>>> Because it is maintained, and it's not vulnerable.
>>>
>>> Marc.
>>>
>>>
>>
>> Is the code public? I cant seem to find any repo with code changes after 2013.
>>
> 
> It's being maintained in the source package as patch files.
> 
> Marc.
> 
> 
> 
>