Debian alert DLA-832-1 (bitlbee)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 832-1] bitlbee security update | |
| Date: | Mon, 20 Feb 2017 22:11:42 +0100 (CET) | |
| Message-ID: | <alpine.DEB.2.02.1702202207350.22449@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : bitlbee Version : 3.0.5-1.2+deb7u1 CVE ID : CVE-2016-10188 CVE-2016-10189 CVE-2017-5668 CVE-2017-5668 Fix for incomplete fix for "Null pointer dereference with file transfer request from unknown contacts". (Though this package wasn't in Wheezy with this issue, I mention it here. The fix was done with the second patch for CVE-2016-10189) CVE-2016-10189 Null pointer dereference with file transfer request from unknown contacts. CVE-2016-10188 deactivate any incoming file transfer for bitlbee This affects any libpurple protocol when used through BitlBee. It does not affect other libpurple-based clients such as pidgin. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJYq1uOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHDjUQAIUb/mkr6UBsXGpvX63UBy3n 7rA4QOkxhtwEAWBhWSNyaZtlLl1q0FzQfZqaLQaHtrcU15s3WE+yAN7RTZEPf8X+ 0bSfHlni4lMUQ/1jN1hrWPNJAOXfPNg+m1FF8oEPgnU1UbYVSpms4Rx+xsrkW7JL gNX8zRj0XmnxvBYxNS+O5qt3wLaZsok1GlZeDAFlrurpTuWBBItejgJSpWwHGZ5h Nm5gUZHMwJhH1T489RpAj+/Cvyzix3D5RWnUlC4iLZxGucYjjkMaCaV6LsPwSMsM 72YM3zmrmGtCCjBxTWk4RLrP5p8pUsTnWJn7F1luxcwYdYy61tqHoBt/QibNj51z zJj5NL6FNQgnxWgoTN/C6HJjTs7TEIbDlJJ+2c6xH4CdmELuSIWs5FoTKEtwavAM q3W5+GO4ecTTE2A1rjtNqonuCbP0F0USc4kcJ8MAsjhkaUf0J1BYAQONDAZWT3SC L6jf5V9EPGu2t5Tcklt8I6QMCn3BMU+kkVxccL/jbtIWPoUZEQ0gt72JRTRlI71c FqoRCnqRPfhqvGwaK53Do26vrCfs0Ovm5+r0XrM7GMzXEwmhNP4QUJeSuwiTXdly kC6yp33lSv4XQmchf53NeAbLzmYKQk0tC18m5JBXSN/GxU4zepZpaUguCD9EdNqK 96AEUfXSGNGPr4dK4Ais =Djjm -----END PGP SIGNATURE-----