Bug 7139 - bitlbee update for compatibility with purple-hangouts CVE-2016-10188 CVE-2016-10189
: bitlbee update for compatibility with purple-hangouts CVE-2016-10188 CVE-2016...
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Contributed Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
https://bitbucket.org/EionRobb/purple...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-20 13:41 MSD by Zombie Ryushu
Modified: 2017-10-24 10:02 MSD (History)
2 users (show)

See Also:
RPM Package: bitlbee
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2016-06-20 13:41:20 MSD
If you're using Bitlbee, you'll need to use at least version 3.4.2. Otherwise, you won't get the URL you need to login. As a workaround for older versions of Bitlbee you can use the following URL https://accounts.google.com/o/oauth2/auth?client_id=936475272427.apps.googleusercontent.com&scope=https://www.google.com/accounts/OAuthLogin&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code
Comment 1 Zombie Ryushu 2017-05-16 11:54:41 MSD
Package        : bitlbee
CVE ID         : CVE-2016-10188 CVE-2016-10189

It was discovered that bitlbee, an IRC to other chat networks gateway,
contained issues that allowed a remote attacker to cause a denial of
service (via application crash), or potentially execute arbitrary
commands.

For the stable distribution (jessie), these problems have been fixed in
version 3.2.2-2+deb8u1.

For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 3.5-1.

We recommend that you upgrade your bitlbee packages.
Comment 2 Zombie Ryushu 2017-05-16 11:59:54 MSD
Several vulnerabilities were discovered in BIND, a DNS server
implementation. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2017-3136

    Oleg Gorokhov of Yandex discovered that BIND does not properly
    handle certain queries when using DNS64 with the "break-dnssec yes;"
    option, allowing a remote attacker to cause a denial-of-service.

CVE-2017-3137

    It was discovered that BIND makes incorrect assumptions about the
    ordering of records in the answer section of a response containing
    CNAME or DNAME resource records, leading to situations where BIND
    exits with an assertion failure. An attacker can take advantage of
    this condition to cause a denial-of-service.

CVE-2017-3138

    Mike Lalumiere of Dyn, Inc. discovered that BIND can exit with a
    REQUIRE assertion failure if it receives a null command string on
    its control channel. Note that the fix applied in Debian is only
    applied as a hardening measure. Details about the issue can be found
    at https://kb.isc.org/article/AA-01471 .
Comment 3 Zombie Ryushu 2017-07-01 19:41:09 MSD
It was discovered that bitlbee contained issues that allowed a remote
attacker to cause a denial of service (via application crash), or
potentially execute arbitrary commands (CVE-2016-10188, CVE-2016-10189).

https://advisories.mageia.org/MGASA-2017-0200.html
Comment 4 Zombie Ryushu 2017-07-31 16:24:45 MSD
bitlbee should update to 3.5.1
Comment 5 Zombie Ryushu 2017-10-24 10:02:29 MSD
Done.