Bug 460355 (CVE-2008-3920)

Summary: Bitlbee 1.2.2 was released, update required
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: bitlbeeAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mcepl, mcepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.bitlbee.org/bitlbee/timeline?daysback=90&changeset=on
Whiteboard:
Fixed In Version: 1.2.2-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-27 20:55:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2008-08-27 18:26:13 UTC 
Description of problem:
Bitlbee 1.2.2 was released, see the following changelog:

Version 1.2.2:
- Security bugfix: It was possible to hijack accounts (without gaining access
  to the old account, it's simply an overwrite)
- Some more stability improvements.
- Fixed bug where people with non-lowercase nicks couldn't drop their account.
- Easier upgrades of non-forking daemon mode servers (using the DEAF
  command).
- Can be cross-compiled for Win32 now! (No support for SSL yet though, which
  makes it less useful for now.)
- Exponential backoff on auto-reconnect.
- Changing passwords gives less confusing feedback ("password is empty") now.

Finished 26 Aug 2008

Version-Release number of selected component (if applicable):
bitlbee-1.2.1-1

Actual results:
bitlbee-1.2.1-1

Expected results:
bitlbee-1.2.2-1 ;-)

Additional info:
I know, there's a security fix inside, but I'm unable to identify that one.
Comment 1 Robert Scheck 2008-08-27 20:55:30 UTC 
Package: bitlbee-1.2.2-1.fc10 Tag: dist-f10 Status: complete
Package: bitlbee-1.2.2-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Package: bitlbee-1.2.2-1.fc8 Tag: dist-f8-updates-candidate Status: complete

Build Result: 40 - bitlbee on fedora-5-epel
Build Result: 41 - bitlbee on fedora-4-epel
Comment 2 Fedora Update System 2008-08-27 20:59:41 UTC 
bitlbee-1.2.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/bitlbee-1.2.2-1.fc8
Comment 3 Fedora Update System 2008-08-27 20:59:50 UTC 
bitlbee-1.2.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bitlbee-1.2.2-1.fc9
Comment 4 Fedora Update System 2008-09-05 12:21:09 UTC 
bitlbee-1.2.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Tomas Hoger 2008-09-05 15:11:33 UTC 
Security fix in bitlbee 1.2.2 addressing account hijack issue was assigned CVE id CVE-2008-3920:

Unspecified vulnerability in BitlBee before 1.2.2 allows remote
attackers to "recreate" and "hijack" existing accounts via unspecified
vectors.
Comment 6 Fedora Update System 2008-09-10 06:43:59 UTC 
bitlbee-1.2.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-09-10 07:02:32 UTC 
bitlbee-1.2.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.