Debian Security Advisory

DLA-832-1 bitlbee -- LTS security update

Date Reported:
23 Feb 2017
Affected Packages:
bitlbee
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2016-10188, CVE-2016-10189, CVE-2017-5668.
More information:
  • CVE-2017-5668

    Fix for incomplete fix for Null pointer dereference with file transfer request from unknown contacts. (Though this package wasn't in Wheezy with this issue, I mention it here. The fix was done with the second patch for CVE-2016-10189)

  • CVE-2016-10189

    Null pointer dereference with file transfer request from unknown contacts.

  • CVE-2016-10188

    deactivate any incoming file transfer for bitlbee This affects any libpurple protocol when used through BitlBee. It does not affect other libpurple-based clients such as pidgin.

For Debian 6 Squeeze, these issues have been fixed in bitlbee version 3.0.5-1.2+deb7u1