CVE-2011-1428

NameCVE-2011-1428
DescriptionWee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2598-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
weechat (PTS)jessie, jessie (lts)1.0.1-1+deb8u4fixed
stretch (security), stretch (lts), stretch1.6-1+deb9u3fixed
buster2.3-1+deb10u1fixed
bullseye3.0-1+deb11u1fixed
bookworm3.8-1fixed
sid, trixie4.4.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
weechatsourcesqueeze0.3.2-1+squeeze1DSA-2598-1
weechatsource(unstable)0.3.5-1

Search for package or bug name: Reporting problems