On Thu, May 11, 2017 at 05:20:55PM +0300, Adrian Bunk wrote:
> On Thu, Feb 09, 2017 at 11:38:29AM -0300, dequis wrote:
> > Package: bitlbee
> > Version: 3.4.2-1.1
> > Severity: grave
> > Tags: upstream security patch fixed-upstream
> >
> > Hi,
> >
> > I'm opening this bug since #853282, which was just fixed by the
> > 3.5.1-1 upload, seems to apply to sid only.
> >
> > CVE-2016-10188 is "bitlbee-libpurple: Use after free when expiring
> > file transfer requests"
> >
> > https://security-tracker.debian.org/tracker/CVE-2016-10188
> >
> > CVE-2016-10189 is "Null pointer dereference with file transfer request
> > from unknown contacts"
> >
> > https://security-tracker.debian.org/tracker/CVE-2016-10189
> >
> > The current version in sid would fix both of these issues for stretch,
> > but it's blocked due to the freeze. I would like to request an unblock
> > for that particular case, if possible.
>
> These CVEs are now fixed in wheezy (by Thorsten) and stretch since
> February, but people upgrading from for wheezy to jessie are losing
> the fixes since they aren't fixed there.
>
> They are not marked "no DSA" in
> https://security-tracker.debian.org/tracker/source-package/bitlbee
>
> Does the security team plan to release a DSA?
>
> Or should/could someone (Thorsten?) upload these fixes for the next
> jessie point release?
No, this can be fixed via security.debian.org if someone prepares
a tested update.
Cheers,
Moritz
