security/vuxml: Weechat vulnerability

freebsd · Mar 16, 2022 · a88bc48 · a88bc48
1 parent 3277bda
commit a88bc48
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,34 @@
+  <vuln vid="3ba1ca94-a563-11ec-8be6-d4c9ef517024">
+    <topic>Weechat -- Possible man-in-the-middle attack in TLS connection to servers</topic>
+    <affects>
+      <package>
+	<name>weechat</name>
+	<range><lt>3.4.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Weechat project reports:</p>
+	<blockquote cite="https://weechat.org/doc/security/WSA-2022-1/">
+	  <p>After changing the options weechat.network.gnutls_ca_system or
+	    weechat.network.gnutls_ca_user, the TLS verification function is lost.
+	    Consequently, any connection to a server with TLS is made without
+	    verifying the certificate, which could lead to a man-in-the-middle
+	    attack. Connection to IRC servers with TLS is affected, as well as any
+	    connection a server made by a plugin or a script using the function
+	    hook_connect.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://weechat.org/doc/security/WSA-2022-1/</url>
+    </references>
+    <dates>
+      <discovery>2022-03-13</discovery>
+      <entry>2022-03-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="ea05c456-a4fd-11ec-90de-1c697aa5a594">
     <topic>OpenSSL -- Infinite loop in BN_mod_sqrt parsing certificates</topic>
     <affects>