A flaw in the XChat's Socks-5 proxy code could allow arbitrary code execution. To exploit this flaw an attacker would need to create a malicious socks-5 proxy that the victim connects to. This issue was public on Mon, 5 Apr 2004 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0409 links to http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html for more information. "XChat's Socks-5 proxy code is vulnerable to a remote exploit. To successfully exploit the code, you would need to enable socks5 traversal (default off) and connect to the attacker's own custom proxy server. "If you never intend to use a Socks5 proxy, you are not affected at all by this issue." CAN-2004-0409 Affects: FC1 CAN-2004-0409 Affects: FC2
[Bulk move of FC2 bugs to Fedora Legacy. See <http://www.redhat.com/archives/fedora-announce-list/2005-April/msg00020.html>.]
Fixed already for earlier releases by Fedora Legacy (bug #152706), but now needed for FC2.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated xchat packages to QA for fc2: Changelog: * Mon May 02 2005 Marc Deslauriers <marcdeslauriers> 1:2.0.7-5.1.legacy - - Added patch to fix CAN-2004-0409 ea64d6097654b5886a5c0f311fef0dbe0d91127d xchat-2.0.7-5.1.legacy.i386.rpm 351b752a112f932899f29fec2af03646983c0fd5 xchat-2.0.7-5.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/xchat-2.0.7-5.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/2/xchat-2.0.7-5.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCdsMqLMAs/0C4zNoRAoa/AJ9tc0Vgq11p43ZcE6fJ89ZMnqlorACfbBkK qXjSLjqND24yScDSOH0ADC4= =0UG7 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for xchat-2.0.7-5.1.legacy.src.rpm for FC2: * only change to spec file is the addition of the one patch to fix this issues. * verified that this patch is the same as that in the previous FL update for RHL. (With adjusted line numbers.) the 1.0.3 and 1.0.4 sylpheed versions * package build and installs fine * seems to run fine +PUBLISH FC2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCekd1z8vebpLJCdYRApNdAJ44YSQJfyGsIY1qWvH+rLW0TpHTmwCcCpCf vKGq2e3eZ/xK+WedI1MQOsM= =YrbM -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
Let's track both FC1 and FC2 under the same bug number.. *** This bug has been marked as a duplicate of 159566 ***