CVE-2013-4550

NameCVE-2013-4550
DescriptionBip before 0.8.9, when running as a daemon, writes SSL handshake errors to an unexpected file descriptor that was previously associated with stderr before stderr has been closed, which allows remote attackers to write to other sockets and have an unspecified impact via a failed SSL handshake, a different vulnerability than CVE-2011-5268. NOTE: some sources originally mapped this CVE to two different types of issues; this CVE has since been SPLIT, producing CVE-2011-5268.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bip (PTS)jessie0.8.9-1fixed
stretch0.8.9-1.1fixed
buster0.9.0~rc3-1fixed
bullseye0.9.0~rc4-1fixed
bookworm0.9.3-1fixed
sid, trixie0.9.3-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bipsource(unstable)0.8.9-1low

Notes

[wheezy] - bip <no-dsa> (Minor issue)
[squeeze] - bip <no-dsa> (Minor issue)
Upstream commit: https://projects.duckcorp.org/projects/bip/repository/revisions/df45c4c2d6f892e3e1dec23ce0ed2575b53a7d8c
https://projects.duckcorp.org/issues/261
Difference between CVE-2011-5268 and CVE-2013-4550: https://www.openwall.com/lists/oss-security/2014/01/02/9
Search for package or bug name: Reporting problems