On Tue, Jan 25, 2011 at 09:28:40PM +0100, Moritz Mühlenhoff wrote: > On Tue, Jan 18, 2011 at 11:36:01PM +0000, Tzafrir Cohen wrote: > > Package: asterisk > > Version: 1:1.6.2.9-2 > > Justification: user security hole > > Severity: grave > > Tags: security patch upstream > > > > *** Please type your report below this line *** > > The Asterisk project has reported security advisory ASA-2011-011 > > http://downloads.asterisk.org/pub/security/AST-2011-001.html > > (No CVE ATM) > > > > "When forming an outgoing SIP request while in pedantic mode, a stack > > buffer can be made to overflow if supplied with carefully crafted caller > > ID information. " > > > > Caller ID information may be provided by remote users. The advisory details > > potential workaround in the dialplan, but applying it varies greatly on > > different configurations. > > > > Issue applies both to the Lenny and Squeeze packages. For patches: > > http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8708 (Squeeze) > > > > http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8711 (Lenny) > > What's the status of a Squeeze upload? This should be uploaded with > the minimal fix and urgency=high.
No reaction since two weeks? Does none of the VoIP maintainers use Debian? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org