Your message dated Wed, 30 May 2012 17:57:25 +0300
with message-id <[email protected]>
and subject line Re: Bug#666944: [Secure-testing-team] Bug#666944: asterisk:
Buffer overflow vulnerability
has caused the Debian Bug report #666944,
regarding asterisk: Buffer overflow vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
666944: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666944
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: asterisk
Version: 1:1.6.2.9-2+squeeze4
Severity: grave
Tags: security squeeze
Justification: user security hole
Per:
http://downloads.asterisk.org/pub/security/AST-2012-002.txt
the asterisk in squeeze is vulnerable to a buffer overflow.
The package in testing may also be vulnerable to:
http://downloads.asterisk.org/pub/security/AST-2012-003.txt
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages asterisk depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii asterisk-config 1:1.6.2.9-2+squeeze4 Configuration files for Asterisk
ii asterisk-sounds-ma 1:1.6.2.9-2+squeeze4 Core Sound files for Asterisk (Eng
ii dahdi 1:2.2.1.1-1 utilities for using the DAHDI kern
ii libasound2 1.0.23-2.1 shared library for ALSA applicatio
ii libc-client2007e 8:2007e~dfsg-3.1 c-client library for mail protocol
ii libc6 2.11.3-2 Embedded GNU C Library: Shared lib
ii libcap2 1:2.19-3 support for getting/setting POSIX.
ii libcurl3 7.21.0-2.1+squeeze2 Multi-protocol file transfer libra
ii libgcc1 1:4.4.5-8 GCC support library
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgmime-2.0-2a 2.2.25-2 MIME library
ii libgsm1 1.0.13-3 Shared libraries for GSM speech co
ii libiksemel3 1.2-4 C library for the Jabber IM platfo
ii libjack0 [libjack- 1:0.118+svn3796-7 JACK Audio Connection Kit (librari
ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries
ii liblua5.1-0 5.1.4-5 Simple, extensible, embeddable pro
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
ii libnewt0.52 0.52.11-1 Not Erik's Windowing Toolkit - tex
ii libogg0 1.2.0~dfsg-1 Ogg bitstream library
ii libopenais3 1.1.2-2 Standards-based cluster framework
ii libopenr2-3 1.3.0-2 MFC/R2 (telephony) call setup libr
ii libpopt0 1.16-1 lib for parsing cmdline parameters
ii libpq5 8.4.11-0squeeze1 PostgreSQL C client library
ii libpri1.4 1.4.11.3-1 Primary Rate ISDN specification li
ii libradiusclient-ng 0.5.6-1.1 Enhanced RADIUS client library
ii libresample1 0.1.3-3 real-time audio resampling library
ii libsdl1.2debian 1.2.14-6.1 Simple DirectMedia Layer
ii libsnmp15 5.4.3~dfsg-2 SNMP (Simple Network Management Pr
ii libspandsp2 0.0.6~pre12-1 Telephony signal processing librar
ii libspeex1 1.2~rc1-1 The Speex codec runtime library
ii libspeexdsp1 1.2~rc1-1 The Speex extended runtime library
ii libsqlite0 2.8.17-6 SQLite shared library
ii libss7-1 1.0.2-1 Signalling System 7 (ss7) library
ii libssl0.9.8 0.9.8o-4squeeze7 SSL shared libraries
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii libsybdb5 0.82-7 libraries for connecting to MS SQL
ii libtiff4 3.9.4-5+squeeze3 Tag Image File Format (TIFF) libra
ii libtonezone2.0 1:2.2.1.1-1 tonezone library (runtime)
ii libvorbis0a 1.3.1-1+squeeze1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.3.1-1+squeeze1 The Vorbis General Audio Compressi
ii libvpb0 4.2.52-2 Voicetronix telephony hardware use
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxml2 2.7.8.dfsg-2+squeeze3 GNOME XML library
ii unixodbc 2.2.14p2-1 ODBC tools libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages asterisk recommends:
ii sox 14.3.1-1 Swiss army knife of sound processi
Versions of packages asterisk suggests:
pn asterisk-dev <none> (no description available)
ii asterisk-doc 1:1.6.2.9-2+squeeze4 Source code documentation for Aste
pn asterisk-h323 <none> (no description available)
-- Configuration Files:
/etc/default/asterisk changed [not included]
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1:1.6.2.9-2+squeeze5
thanks
On Tue, Apr 03, 2012 at 02:55:52PM +0300, Tzafrir Cohen wrote:
> On Mon, Apr 02, 2012 at 10:50:07PM +0100, Jonathan Wiltshire wrote:
> > On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote:
> > > Package: asterisk
> > > Version: 1:1.6.2.9-2+squeeze4
> > > Severity: grave
> > > Tags: security squeeze
> > > Justification: user security hole
> > >
> > > Per:
> > >
> > > http://downloads.asterisk.org/pub/security/AST-2012-002.txt
> > >
> > > the asterisk in squeeze is vulnerable to a buffer overflow.
> >
> > Security team: the tracker says not-affected (Vulnerable code not present);
> > this seems not to be the case but the default configuration protects from
> > this vulnerability. I will take it on as a no-dsa if you wish.
> >
> > John: on that basis, do you agree the severity should be reduced (probably
> > to important)?
>
> The default configuration is not too big a considiration with the Asterisk
> dialplan. That said, the said dialplan application is also not commonly
> used.
>
> The Squeeze branch in the SVN includes the fix. As well as, ahem, the patch
> for #651552 which was accidentally left out of the previous upload. No
> idea how I failed to notice that.
>
> http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/
>
> >
> >
> > > The package in testing may also be vulnerable to:
> > >
> > > http://downloads.asterisk.org/pub/security/AST-2012-003.txt
> >
> > Currently it is. I have suggested to the release team that they age the
> > version in sid to get the fix into testing.
>
> Not applicable to Squeeze: the code in question is new to 1.8 (and not
> backported in any patch we carry).
I'm not sure why I missed it, but the patch for AST-2012-002 is included
in -squeeze5. Closing this bug (and updating the changelog).
--
Tzafrir Cohen
icq#16849755 jabber:[email protected]
+972-50-7952406 mailto:[email protected]
http://www.xorcom.com iax:[email protected]/tzafrir
--- End Message ---
