Main Vulnerability Database SB2011031702

SB2011031702 - Input validation error in WeeChat

Published: March 17, 2011 Updated: August 11, 2020

Security Bulletin ID SB2011031702

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2011-1428)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API.

Remediation

Install update from vendor's website.

References

http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0671.html
http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commit;h=c265cad1c95b84abfd4e8d861f25926ef13b5d91
http://savannah.nongnu.org/patch/index.php?7459
http://secunia.com/advisories/43543
http://www.securityfocus.com/bid/46612