Bug 688751 (CVE-2011-1428)

Summary: CVE-2011-1428 weechat: improper verification of X.509 certificates can lead to MITM attacks
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: i, rayvd
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-29 23:35:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 688752, 688753    
Bug Blocks:    

Description Vincent Danen 2011-03-17 22:05:54 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1428 to
the following vulnerability:

Name: CVE-2011-1428
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1428
Assigned: 20110316
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0671.html
Reference: http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commit;h=c265cad1c95b84abfd4e8d861f25926ef13b5d91
Reference: http://savannah.nongnu.org/patch/index.php?7459
Reference: http://www.securityfocus.com/bid/46612
Reference: http://secunia.com/advisories/43543

Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does
not properly verify that the server hostname matches the domain name
of the subject of an X.509 certificate, which allows man-in-the-middle
attackers to spoof an SSL chat server via an arbitrary certificate,
related to incorrect use of the GnuTLS API.
Comment 1 Vincent Danen 2011-03-17 22:07:22 UTC 
Created weechat tracking bugs for this issue

Affects: fedora-all [bug 688752]
Affects: epel-all [bug 688753]
Comment 2 Vincent Danen 2013-01-29 23:35:07 UTC 
Both Fedora and EPEL now have 0.3.9.2 or higher which contain the fix.