CVEs have been assigned for security issues fixed upstream in bitlbee: http://openwall.com/lists/oss-security/2017/01/31/11 It appears that the first two were fixed in 3.5 and the third in 3.5.1. Commits that fixed the issues are linked in the message above. Mageia 5 may also be affected.
Whiteboard: (none) => MGA5TOO
Fedora has issued an advisory for this on February 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6WMMR2YOQQVD7ER7LSJXTDS27Q2NS34/
URL: (none) => https://lwn.net/Vulnerabilities/714126/
We have bitlbee 3.5.1 in Cauldron, so this is only relevant for Mageia 5 (possibly).
Whiteboard: MGA5TOO => (none)Source RPM: bitlbee-3.4.1-3.mga6.src.rpm => bitlbee-3.2.2-4.mga5.src.rpmVersion: Cauldron => 5
At least the first two CVEs are relevant, as Debian updated it too: https://www.debian.org/security/2017/dsa-3853
Fixed now for mga5 adding three patches from debian.
CC: (none) => geiger.david68210
Thanks David! Advisory: ======================== Updated bitlbee package fixes security vulnerabilities: It was discovered that bitlbee contained issues that allowed a remote attacker to cause a denial of service (via application crash), or potentially execute arbitrary commands (CVE-2016-10188, CVE-2016-10189). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10189 https://www.debian.org/security/2017/dsa-3853 ======================== Updated packages in core/updates_testing: ======================== bitlbee-3.2.2-4.1.mga5 from bitlbee-3.2.2-4.1.mga5.src.rpm
Assignee: mageia => qa-bugs
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Info; there are no previous updates for this package. bitlbee is a proxy which accepts connections from any irc-client and allows you to communicate using following instant messaging protocols: - ICQ - AIM - MSN - YIM - Jabber (including Google Talk and Facebook) - Twitter /usr/share/bitlbee/help.txt /usr/share/doc/bitlbee/user-guide/* seems to have plenty of documentation.
CC: (none) => lewyssmith
MGA5-32 on Asus A6000 VM Xfce No installation issues. At CLI as root after installation: # systemctl status bitlbee â bitlbee.service - BitlBee IRC/IM gateway Loaded: loaded (/usr/lib/systemd/system/bitlbee.service; enabled) Active: inactive (dead) # systemctl start bitlbee # systemctl status bitlbee â bitlbee.service - BitlBee IRC/IM gateway Loaded: loaded (/usr/lib/systemd/system/bitlbee.service; enabled) Active: active (running) since wo 2017-06-21 14:09:18 CEST; 3s ago Main PID: 1939 (bitlbee) CGroup: /system.slice/bitlbee.service ââ1939 /usr/sbin/bitlbee -F -n I have a jabber account and configured gajim to use bitlbee as proxy, but I run into problems : message "Running out of hosts for name <jabber server> error for last IP: invalid proxy reply When catching the feedback from gajim I get things like: 21-06-17 14:44:51 (E) nbxmpp.proxy_connectors: Invalid proxy reply: :localhost NOTICE AUTH :BitlBee-IRCd initialized, please go on 21-06-17 14:44:51 (D) nbxmpp.client_nb: While looping over DNS A records: Invalid proxy reply 21-06-17 14:44:51 (I) nbxmpp.client_nb: Disconnecting NBClient: Run out of hosts for name jabber.hot-chilli.net:5222. Error for last IP: Invalid proxy reply 21-06-17 14:44:51 (I) nbxmpp.plugin: Plugging <nbxmpp.transports_nb.NonBlockingTCP instance at 0xafb2e3ac> __OUT__ of <nbxmpp.client_nb.NonBlockingClient instance at 0xafe224ac>. 21-06-17 14:44:51 (D) nbxmpp.client_nb: Client disconnected.. The doc mentioned above makes me think I need to register my jabber account in bitlbee, do I understand that correctly?????
CC: (none) => herman.viaene
32-bit Installed bitlbee and restarted system. Able to connect via hexchat and do configuration. The server is responding, but not much for integrating it with my google stuff. But server is responding and working. Seems to be working as designed. Brian
CC: (none) => brtians1
I was able to get it connected to gtalk and use it. This is working as designed. I'm giving this a clean bill of health. Brian
Whiteboard: advisory => advisory mga5-32-ok
$ uname -a Linux localhost 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 07:50:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux The following 3 packages are going to be installed: - bitlbee-3.2.2-4.1.mga5.x86_64 - lib64farstream0.1_0-0.1.2-9.mga5.x86_64 - lib64purple0-2.12.0-1.mga5.x86_64 2.6MB of additional disk space will be used. 763KB of packages will be retrieved. Is it ok to continue? I followed the steps in https://wiki.bitlbee.org/HowtoGtalk and was able to connect and converse in Gtalk.
Whiteboard: advisory mga5-32-ok => advisory mga5-32-ok mga5-64-ok
Brian: congrats on testing this unpopular update - twice! Many thanks. Validating it.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0200.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED