Description of problem: Bitlbee 1.2.3 was released, see the following changelog: Version 1.2.3: - Fixed one more flaw similar to the previous hijacking bug, caused by incon- sistent handling of the USTATUS_IDENTIFIED state. All code touching these variables was reviewed and should be correct now. Finished 7 Sep 2008 Version-Release number of selected component (if applicable): bitlbee-1.2.2-1 Actual results: bitlbee-1.2.2-1 Expected results: bitlbee-1.2.3-1 ;-)
Upstream writes on the main page in the news section: Unfortunately 1.2.2 did not fix all possible account hijacking loopholes. Another very similar flaw was found by Tero Marttila. In the migration to the user configuration storage abstraction layer, a few safeguards that prevent overwriting existing accounts disappeared. Over the week I went over all the related code to make sure that everything's done in a sane, safe and consistent way.
Package: bitlbee-1.2.3-1.fc10 Tag: dist-f10 Status: complete Package: bitlbee-1.2.3-1.fc9 Tag: dist-f9-updates-candidate Status: complete Package: bitlbee-1.2.3-1.fc8 Tag: dist-f8-updates-candidate Status: complete 127 (bitlbee): Build on target fedora-5-epel succeeded. 128 (bitlbee): Build on target fedora-4-epel succeeded.
bitlbee-1.2.3-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc8
bitlbee-1.2.3-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc9
Few references: Upstream news page with announcement already quoted in comment #1: http://www.bitlbee.org/main.php/news.r.html Upstream changelog: http://www.bitlbee.org/main.php/changelog.html Upstream fix: http://bugs.bitlbee.org/bitlbee/changeset/devel%2C443
To make Matej Cepl happy: The changeset mentioned in comment #5 is part of Bitlbee 1.2.3, so currently no open task/jobs etc.
CVE id CVE-2008-3969 was assigned to this additional fix in bitlbee 1.2.3.
CVE-2008-3969: Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow remote attackers to "overwrite" and "hijack" existing accounts via unknown vectors. NOTE: this issue exists because of an incomplete fix for CVE-2008-3920.
bitlbee-1.2.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
bitlbee-1.2.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.