Bernhard Schmidt wrote: > The Debian Security team thinks that this bug does not warrant an > immediate security update. I tend to agree, since the circumstances of > this to be exploitable are very special. > > Do you agree? We will likely still fix it in Jessie in a point release, > and we will definitely fix this in time for Stretch (Asterisk 13.13.x > had a few issues here, thus Stretch has not been upgraded to fixed > version yet).
Sounds reasonable to me, especially if it's eventually fixed in a point release. I trust your (and Salvatore's) judgment. I don't use an SIP proxy for authentication, though, so I don't really have a stake in the matter. Thanks for merging the bugs. Dara

