Bug ID 1197083
Summary VUL-0: weechat: Possible man-in-the-middle attack in TLS connection to servers
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee mimi.vx@gmail.com
Reporter gianluca.gabrielli@suse.com
QA Contact qa-bugs@suse.de
CC security-team@suse.de
Found By ---
Blocker --- 

Description
After changing the options weechat.network.gnutls_ca_system or
weechat.network.gnutls_ca_user, the TLS verification function is lost.
Consequently, any connection to a server with TLS is made without verifying the
certificate, which could lead to a man-in-the-middle attack.
Connection to IRC servers with TLS is affected, as well as any connection a
server made by a plugin or a script using the function hook_connect.

Mitigation
After changing options weechat.network.gnutls_ca_system or
weechat.network.gnutls_ca_user, you must restart WeeChat. 

References:
https://weechat.org/doc/security/WSA-2022-1/

You are receiving this mail because: