Bug 460355 (CVE-2008-3920) - Bitlbee 1.2.2 was released, update required
Summary: Bitlbee 1.2.2 was released, update required
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2008-3920
Product: Fedora
Classification: Fedora
Component: bitlbee
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL: http://bugs.bitlbee.org/bitlbee/timel...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-27 18:26 UTC by Robert Scheck
Modified: 2018-04-11 08:28 UTC (History)
2 users (show)

Fixed In Version: 1.2.2-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-27 20:55:30 UTC


Attachments (Terms of Use)

Description Robert Scheck 2008-08-27 18:26:13 UTC
Description of problem:
Bitlbee 1.2.2 was released, see the following changelog:

Version 1.2.2:
- Security bugfix: It was possible to hijack accounts (without gaining access
  to the old account, it's simply an overwrite)
- Some more stability improvements.
- Fixed bug where people with non-lowercase nicks couldn't drop their account.
- Easier upgrades of non-forking daemon mode servers (using the DEAF
  command).
- Can be cross-compiled for Win32 now! (No support for SSL yet though, which
  makes it less useful for now.)
- Exponential backoff on auto-reconnect.
- Changing passwords gives less confusing feedback ("password is empty") now.

Finished 26 Aug 2008

Version-Release number of selected component (if applicable):
bitlbee-1.2.1-1

Actual results:
bitlbee-1.2.1-1

Expected results:
bitlbee-1.2.2-1 ;-)

Additional info:
I know, there's a security fix inside, but I'm unable to identify that one.

Comment 1 Robert Scheck 2008-08-27 20:55:30 UTC
Package: bitlbee-1.2.2-1.fc10 Tag: dist-f10 Status: complete
Package: bitlbee-1.2.2-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Package: bitlbee-1.2.2-1.fc8 Tag: dist-f8-updates-candidate Status: complete

Build Result: 40 - bitlbee on fedora-5-epel
Build Result: 41 - bitlbee on fedora-4-epel

Comment 2 Fedora Update System 2008-08-27 20:59:41 UTC
bitlbee-1.2.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/bitlbee-1.2.2-1.fc8

Comment 3 Fedora Update System 2008-08-27 20:59:50 UTC
bitlbee-1.2.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bitlbee-1.2.2-1.fc9

Comment 4 Fedora Update System 2008-09-05 12:21:09 UTC
bitlbee-1.2.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Tomas Hoger 2008-09-05 15:11:33 UTC
Security fix in bitlbee 1.2.2 addressing account hijack issue was assigned CVE id CVE-2008-3920:

Unspecified vulnerability in BitlBee before 1.2.2 allows remote
attackers to "recreate" and "hijack" existing accounts via unspecified
vectors.

Comment 6 Fedora Update System 2008-09-10 06:43:59 UTC
bitlbee-1.2.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2008-09-10 07:02:32 UTC
bitlbee-1.2.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.