Bug 461424 - (CVE-2008-3969) Bitlbee 1.2.3 was released, update required
Bitlbee 1.2.3 was released, update required
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: bitlbee (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Robert Scheck
Fedora Extras Quality Assurance
http://bugs.bitlbee.org/bitlbee/timel...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-07 15:54 EDT by Robert Scheck
Modified: 2008-09-11 12:59 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.2.3-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-07 16:16:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-09-07 15:54:40 EDT
Description of problem:
Bitlbee 1.2.3 was released, see the following changelog:

Version 1.2.3:
- Fixed one more flaw similar to the previous hijacking bug, caused by incon-
  sistent handling of the USTATUS_IDENTIFIED state. All code touching these
  variables was reviewed and should be correct now.

Finished 7 Sep 2008

Version-Release number of selected component (if applicable):
bitlbee-1.2.2-1

Actual results:
bitlbee-1.2.2-1

Expected results:
bitlbee-1.2.3-1 ;-)
Comment 1 Robert Scheck 2008-09-07 16:00:20 EDT
Upstream writes on the main page in the news section:

Unfortunately 1.2.2 did not fix all possible account hijacking loopholes. 
Another very similar flaw was found by Tero Marttila. In the migration to
the user configuration storage abstraction layer, a few safeguards that
prevent overwriting existing accounts disappeared. Over the week I went
over all the related code to make sure that everything's done in a sane,
safe and consistent way.
Comment 2 Robert Scheck 2008-09-07 16:16:44 EDT
Package: bitlbee-1.2.3-1.fc10 Tag: dist-f10 Status: complete
Package: bitlbee-1.2.3-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Package: bitlbee-1.2.3-1.fc8 Tag: dist-f8-updates-candidate Status: complete

127 (bitlbee): Build on target fedora-5-epel succeeded.
128 (bitlbee): Build on target fedora-4-epel succeeded.
Comment 3 Fedora Update System 2008-09-07 16:17:45 EDT
bitlbee-1.2.3-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc8
Comment 4 Fedora Update System 2008-09-07 16:17:49 EDT
bitlbee-1.2.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc9
Comment 5 Tomas Hoger 2008-09-08 03:40:03 EDT
Few references:

Upstream news page with announcement already quoted in comment #1:
  http://www.bitlbee.org/main.php/news.r.html

Upstream changelog:
  http://www.bitlbee.org/main.php/changelog.html

Upstream fix:
  http://bugs.bitlbee.org/bitlbee/changeset/devel%2C443
Comment 6 Robert Scheck 2008-09-08 07:07:28 EDT
To make Matej Cepl happy: The changeset mentioned in comment #5 is part of 
Bitlbee 1.2.3, so currently no open task/jobs etc.
Comment 7 Tomas Hoger 2008-09-09 14:33:05 EDT
CVE id CVE-2008-3969 was assigned to this additional fix in bitlbee 1.2.3.
Comment 8 Tomas Hoger 2008-09-11 02:27:43 EDT
CVE-2008-3969:

Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow
remote attackers to "overwrite" and "hijack" existing accounts via
unknown vectors.  NOTE: this issue exists because of an incomplete fix
for CVE-2008-3920.
Comment 9 Fedora Update System 2008-09-11 12:54:24 EDT
bitlbee-1.2.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-09-11 12:59:22 EDT
bitlbee-1.2.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.