git: a88bc4897143 - main - security/vuxml: Weechat vulnerability

From: Bernard Spil <brnrd_at_FreeBSD.org>
Date: Wed, 16 Mar 2022 20:00:02 UTC 
The branch main has been updated by brnrd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a88bc4897143a3fe1222aad6d0b52c8cf6169e04

commit a88bc4897143a3fe1222aad6d0b52c8cf6169e04
Author:     Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2022-03-16 19:59:58 +0000
Commit:     Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2022-03-16 19:59:58 +0000

    security/vuxml: Weechat vulnerability
---
 security/vuxml/vuln-2022.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 05542bcc0cf1..2706d418e42c 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,34 @@
+  <vuln vid="3ba1ca94-a563-11ec-8be6-d4c9ef517024">
+    <topic>Weechat -- Possible man-in-the-middle attack in TLS connection to servers</topic>
+    <affects>
+      <package>
+	<name>weechat</name>
+	<range><lt>3.4.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Weechat project reports:</p>
+	<blockquote cite="https://weechat.org/doc/security/WSA-2022-1/">
+	  <p>After changing the options weechat.network.gnutls_ca_system or
+	    weechat.network.gnutls_ca_user, the TLS verification function is lost.
+	    Consequently, any connection to a server with TLS is made without
+	    verifying the certificate, which could lead to a man-in-the-middle
+	    attack. Connection to IRC servers with TLS is affected, as well as any
+	    connection a server made by a plugin or a script using the function
+	    hook_connect.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://weechat.org/doc/security/WSA-2022-1/</url>
+    </references>
+    <dates>
+      <discovery>2022-03-13</discovery>
+      <entry>2022-03-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="ea05c456-a4fd-11ec-90de-1c697aa5a594">
     <topic>OpenSSL -- Infinite loop in BN_mod_sqrt parsing certificates</topic>
     <affects>