oss-security April 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] Re: CVE request: irssi 0.8.15

Re: [oss-security] Re: CVE request: irssi 0.8.15

From: Jamie Strandboge <jamie_at_nospam>
Date: Sat Apr 17 2010 - 21:37:59 GMT
To: Wouter Coekaerts <coekie@irssi.org>


I backported the following svn commits to 0.8.14 for the SSL issue:
  Check if an SSL certificate matches the hostname of the server we are
  connecting to
  Use one SSL_CTX per connection, use default trusted CAs if nothing
  specified. This allows useful use of -ssl_verify without
  -ssl_cafile/-ssl_capath, using OpenSSL's default trusted CAs.
  Call OpenSSL_add_all_algorithms(), may be needed to verify SHA256
  certs with certain versions of OpenSSL.
  network-openssl: Show why a certificate failed validation.
  Do not use SSLv2 protocol. From Bazerka.

However, after rolling it out Steve Langasek discovered a bug when
connecting to an SSL irc proxy server[1]. His patch (attached) adjusts
it so when we have a proxy setting, expect the CN to match the proxy
hostname, not the server hostname

[1] https://bugs.launchpad.net/ubuntu/+source/irssi/+bug/565182

-- Jamie Strandboge | http://www.canonical.com