Package: bitlbee Version: 3.4.2-1.1 Severity: grave Tags: upstream security patch fixed-upstream
Hi, I'm opening this bug since #853282, which was just fixed by the 3.5.1-1 upload, seems to apply to sid only. CVE-2016-10188 is "bitlbee-libpurple: Use after free when expiring file transfer requests" https://security-tracker.debian.org/tracker/CVE-2016-10188 CVE-2016-10189 is "Null pointer dereference with file transfer request from unknown contacts" https://security-tracker.debian.org/tracker/CVE-2016-10189 The current version in sid would fix both of these issues for stretch, but it's blocked due to the freeze. I would like to request an unblock for that particular case, if possible. Thanks.
