2.10.2 released

Posted - 25 Nov 2014

Yet another bug-fix release for 2.10.x has been released. The list of bugs fixed is not particuarly long or interesting so I’ll save those for the Changelog below but this release cycle does come with some much needed security improvements.

Historically XChat has not used ssl very securely; The last release of it used terrible defaults such as forcing SSLv3 (which is known insecure) and does not take any effort to verify the cert is for the correct address you connected to. With this HexChat release this has finally changed; Now only TLSv1.0+ are accepted and all hostnames are verified as well as a few other more secure options. The next release will hopefully take this a step further including features such as supporting certificate pinning.

Outside of HexChat itself the project has taken measures to ensure our releases are secure. Recently I moved dl.hexchat.net, which hosts all project related downloads, entirely over to https. Since 2.10.0 all source releases have been signed by my personal gpg key and the Windows installers are all now signed by tomek.

Related Posts