ROSA Linux Bugzilla – Bug 7139
bitlbee update for compatibility with purple-hangouts CVE-2016-10188 CVE-2016-10189
Last modified: 2017-10-24 10:02:29 MSD
If you're using Bitlbee, you'll need to use at least version 3.4.2. Otherwise, you won't get the URL you need to login. As a workaround for older versions of Bitlbee you can use the following URL https://accounts.google.com/o/oauth2/auth?client_id=936475272427.apps.googleusercontent.com&scope=https://www.google.com/accounts/OAuthLogin&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code
Package : bitlbee
CVE ID : CVE-2016-10188 CVE-2016-10189
It was discovered that bitlbee, an IRC to other chat networks gateway,
contained issues that allowed a remote attacker to cause a denial of
service (via application crash), or potentially execute arbitrary
For the stable distribution (jessie), these problems have been fixed in
For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 3.5-1.
We recommend that you upgrade your bitlbee packages.
Several vulnerabilities were discovered in BIND, a DNS server
implementation. The Common Vulnerabilities and Exposures project
identifies the following problems:
Oleg Gorokhov of Yandex discovered that BIND does not properly
handle certain queries when using DNS64 with the "break-dnssec yes;"
option, allowing a remote attacker to cause a denial-of-service.
It was discovered that BIND makes incorrect assumptions about the
ordering of records in the answer section of a response containing
CNAME or DNAME resource records, leading to situations where BIND
exits with an assertion failure. An attacker can take advantage of
this condition to cause a denial-of-service.
Mike Lalumiere of Dyn, Inc. discovered that BIND can exit with a
REQUIRE assertion failure if it receives a null command string on
its control channel. Note that the fix applied in Debian is only
applied as a hardening measure. Details about the issue can be found
at https://kb.isc.org/article/AA-01471 .
It was discovered that bitlbee contained issues that allowed a remote
attacker to cause a denial of service (via application crash), or
potentially execute arbitrary commands (CVE-2016-10188, CVE-2016-10189).
bitlbee should update to 3.5.1