Description of problem:
Bitlbee 1.2.3 was released, see the following changelog:
- Fixed one more flaw similar to the previous hijacking bug, caused by incon-
sistent handling of the USTATUS_IDENTIFIED state. All code touching these
variables was reviewed and should be correct now.
Finished 7 Sep 2008
Version-Release number of selected component (if applicable):
Upstream writes on the main page in the news section:
Unfortunately 1.2.2 did not fix all possible account hijacking loopholes.
Another very similar flaw was found by Tero Marttila. In the migration to
the user configuration storage abstraction layer, a few safeguards that
prevent overwriting existing accounts disappeared. Over the week I went
over all the related code to make sure that everything's done in a sane,
safe and consistent way.
Package: bitlbee-1.2.3-1.fc10 Tag: dist-f10 Status: complete
Package: bitlbee-1.2.3-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Package: bitlbee-1.2.3-1.fc8 Tag: dist-f8-updates-candidate Status: complete
127 (bitlbee): Build on target fedora-5-epel succeeded.
128 (bitlbee): Build on target fedora-4-epel succeeded.
bitlbee-1.2.3-1.fc8 has been submitted as an update for Fedora 8.
bitlbee-1.2.3-1.fc9 has been submitted as an update for Fedora 9.
Upstream news page with announcement already quoted in comment #1:
To make Matej Cepl happy: The changeset mentioned in comment #5 is part of
Bitlbee 1.2.3, so currently no open task/jobs etc.
CVE id CVE-2008-3969 was assigned to this additional fix in bitlbee 1.2.3.
Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow
remote attackers to "overwrite" and "hijack" existing accounts via
unknown vectors. NOTE: this issue exists because of an incomplete fix
bitlbee-1.2.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
bitlbee-1.2.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.