Your message dated Mon, 19 Mar 2018 12:50:52 -0300
with message-id
<cabaa10q++xrnbwowrnjyjvgkrnuqj-hcgo6jliftxc2qeuc...@mail.gmail.com>
and subject line Re: Bug#854688
has caused the Debian Bug report #854688,
regarding bitlbee: The versions in stable/testing are vulnerable to
CVE-2016-10189 and CVE-2016-10188
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
854688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854688
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bitlbee
Version: 3.4.2-1.1
Severity: grave
Tags: upstream security patch fixed-upstream
Hi,
I'm opening this bug since #853282, which was just fixed by the
3.5.1-1 upload, seems to apply to sid only.
CVE-2016-10188 is "bitlbee-libpurple: Use after free when expiring
file transfer requests"
https://security-tracker.debian.org/tracker/CVE-2016-10188
CVE-2016-10189 is "Null pointer dereference with file transfer request
from unknown contacts"
https://security-tracker.debian.org/tracker/CVE-2016-10189
The current version in sid would fix both of these issues for stretch,
but it's blocked due to the freeze. I would like to request an unblock
for that particular case, if possible.
Thanks.
--- End Message ---
--- Begin Message ---
Version: 3.2.2-2+deb8u1
3.2.2-2+deb8u1 was uploaded to oldstable on 2017-06-07 and
stable/testing have the latest upstream release, this is done.
--- End Message ---
