On Thu, Feb 09, 2017 at 11:38:29AM -0300, dequis wrote: > Package: bitlbee > Version: 3.4.2-1.1 > Severity: grave > Tags: upstream security patch fixed-upstream > > Hi, > > I'm opening this bug since #853282, which was just fixed by the > 3.5.1-1 upload, seems to apply to sid only. > > CVE-2016-10188 is "bitlbee-libpurple: Use after free when expiring > file transfer requests" > > https://security-tracker.debian.org/tracker/CVE-2016-10188 > > CVE-2016-10189 is "Null pointer dereference with file transfer request > from unknown contacts" > > https://security-tracker.debian.org/tracker/CVE-2016-10189 > > The current version in sid would fix both of these issues for stretch, > but it's blocked due to the freeze. I would like to request an unblock > for that particular case, if possible.
These CVEs are now fixed in wheezy (by Thorsten) and stretch since February, but people upgrading from for wheezy to jessie are losing the fixes since they aren't fixed there. They are not marked "no DSA" in https://security-tracker.debian.org/tracker/source-package/bitlbee Does the security team plan to release a DSA? Or should/could someone (Thorsten?) upload these fixes for the next jessie point release? > Thanks. Thanks Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
