|Summary:||Bitlbee 1.2.3 was released, update required|
|Product:||[Fedora] Fedora||Reporter:||Robert Scheck <redhat-bugzilla>|
|Component:||bitlbee||Assignee:||Robert Scheck <redhat-bugzilla>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||mcepl, mcepl, security-response-team|
|Fixed In Version:||1.2.3-1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-09-07 20:16:44 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Robert Scheck 2008-09-07 19:54:40 UTC
Description of problem: Bitlbee 1.2.3 was released, see the following changelog: Version 1.2.3: - Fixed one more flaw similar to the previous hijacking bug, caused by incon- sistent handling of the USTATUS_IDENTIFIED state. All code touching these variables was reviewed and should be correct now. Finished 7 Sep 2008 Version-Release number of selected component (if applicable): bitlbee-1.2.2-1 Actual results: bitlbee-1.2.2-1 Expected results: bitlbee-1.2.3-1 ;-)
Comment 1 Robert Scheck 2008-09-07 20:00:20 UTC
Upstream writes on the main page in the news section: Unfortunately 1.2.2 did not fix all possible account hijacking loopholes. Another very similar flaw was found by Tero Marttila. In the migration to the user configuration storage abstraction layer, a few safeguards that prevent overwriting existing accounts disappeared. Over the week I went over all the related code to make sure that everything's done in a sane, safe and consistent way.
Comment 2 Robert Scheck 2008-09-07 20:16:44 UTC
Package: bitlbee-1.2.3-1.fc10 Tag: dist-f10 Status: complete Package: bitlbee-1.2.3-1.fc9 Tag: dist-f9-updates-candidate Status: complete Package: bitlbee-1.2.3-1.fc8 Tag: dist-f8-updates-candidate Status: complete 127 (bitlbee): Build on target fedora-5-epel succeeded. 128 (bitlbee): Build on target fedora-4-epel succeeded.
Comment 3 Fedora Update System 2008-09-07 20:17:45 UTC
bitlbee-1.2.3-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc8
Comment 4 Fedora Update System 2008-09-07 20:17:49 UTC
bitlbee-1.2.3-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc9
Comment 5 Tomas Hoger 2008-09-08 07:40:03 UTC
Few references: Upstream news page with announcement already quoted in comment #1: http://www.bitlbee.org/main.php/news.r.html Upstream changelog: http://www.bitlbee.org/main.php/changelog.html Upstream fix: http://bugs.bitlbee.org/bitlbee/changeset/devel%2C443
Comment 6 Robert Scheck 2008-09-08 11:07:28 UTC
To make Matej Cepl happy: The changeset mentioned in comment #5 is part of Bitlbee 1.2.3, so currently no open task/jobs etc.
Comment 7 Tomas Hoger 2008-09-09 18:33:05 UTC
CVE id CVE-2008-3969 was assigned to this additional fix in bitlbee 1.2.3.
Comment 8 Tomas Hoger 2008-09-11 06:27:43 UTC
CVE-2008-3969: Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow remote attackers to "overwrite" and "hijack" existing accounts via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2008-3920.
Comment 9 Fedora Update System 2008-09-11 16:54:24 UTC
bitlbee-1.2.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-09-11 16:59:22 UTC
bitlbee-1.2.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.