Description of problem:
Bitlbee 1.2.2 was released, see the following changelog:
- Security bugfix: It was possible to hijack accounts (without gaining access
to the old account, it's simply an overwrite)
- Some more stability improvements.
- Fixed bug where people with non-lowercase nicks couldn't drop their account.
- Easier upgrades of non-forking daemon mode servers (using the DEAF
- Can be cross-compiled for Win32 now! (No support for SSL yet though, which
makes it less useful for now.)
- Exponential backoff on auto-reconnect.
- Changing passwords gives less confusing feedback ("password is empty") now.
Finished 26 Aug 2008
Version-Release number of selected component (if applicable):
I know, there's a security fix inside, but I'm unable to identify that one.
Package: bitlbee-1.2.2-1.fc10 Tag: dist-f10 Status: complete
Package: bitlbee-1.2.2-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Package: bitlbee-1.2.2-1.fc8 Tag: dist-f8-updates-candidate Status: complete
Build Result: 40 - bitlbee on fedora-5-epel
Build Result: 41 - bitlbee on fedora-4-epel
bitlbee-1.2.2-1.fc8 has been submitted as an update for Fedora 8.
bitlbee-1.2.2-1.fc9 has been submitted as an update for Fedora 9.
bitlbee-1.2.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Security fix in bitlbee 1.2.2 addressing account hijack issue was assigned CVE id CVE-2008-3920:
Unspecified vulnerability in BitlBee before 1.2.2 allows remote
attackers to "recreate" and "hijack" existing accounts via unspecified
bitlbee-1.2.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.