Description of problem: Bitlbee 1.2.2 was released, see the following changelog: Version 1.2.2: - Security bugfix: It was possible to hijack accounts (without gaining access to the old account, it's simply an overwrite) - Some more stability improvements. - Fixed bug where people with non-lowercase nicks couldn't drop their account. - Easier upgrades of non-forking daemon mode servers (using the DEAF command). - Can be cross-compiled for Win32 now! (No support for SSL yet though, which makes it less useful for now.) - Exponential backoff on auto-reconnect. - Changing passwords gives less confusing feedback ("password is empty") now. Finished 26 Aug 2008 Version-Release number of selected component (if applicable): bitlbee-1.2.1-1 Actual results: bitlbee-1.2.1-1 Expected results: bitlbee-1.2.2-1 ;-) Additional info: I know, there's a security fix inside, but I'm unable to identify that one.
Package: bitlbee-1.2.2-1.fc10 Tag: dist-f10 Status: complete Package: bitlbee-1.2.2-1.fc9 Tag: dist-f9-updates-candidate Status: complete Package: bitlbee-1.2.2-1.fc8 Tag: dist-f8-updates-candidate Status: complete Build Result: 40 - bitlbee on fedora-5-epel Build Result: 41 - bitlbee on fedora-4-epel
bitlbee-1.2.2-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/bitlbee-1.2.2-1.fc8
bitlbee-1.2.2-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/bitlbee-1.2.2-1.fc9
bitlbee-1.2.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Security fix in bitlbee 1.2.2 addressing account hijack issue was assigned CVE id CVE-2008-3920: Unspecified vulnerability in BitlBee before 1.2.2 allows remote attackers to "recreate" and "hijack" existing accounts via unspecified vectors.
bitlbee-1.2.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.