Bug#1071575: dahdi-dkms: module fails to build for Linux 6.8.9: error: implicit declaration of function 'strlcpy'
Hi, On Mon, May 27, 2024 at 10:26:45AM +0200, Diederik de Haas via Pkg-voip-maintainers wrote: > Control: tag -1 upstream fixed-upstream patch Thanks for that. Just one note regarding the word "upstream". The current upstream of the package is the osmo fork. At the time when uploading previous version, that fork was looking more reliable than the main branch. This bug and its fix finally proves that the main Sangoma repo is the one to follow. Note to self: remove version.patch . -- mail / xmpp / matrix: tzaf...@cohens.org.il
Bug#1042747: dahdi-dkms: dkms.conf still lists removed pciradio.ko
Hi, Thanks. Those modules were removed. I noticed that and fixed it locally (also added two extra modules zaphfc and icE1usb). Trying to figure out the cause for the other error https://ci.debian.net/data/autopkgtest/testing/amd64/d/dahdi-linux/36220583/log.gz 177s MODPOST /usr/src/modules/dahdi/drivers/dahdi/Module.symvers 178s ERROR: modpost: "unregister_hdlc_device" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "ppp_unregister_channel" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "ppp_unit_number" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "alloc_hdlcdev" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "ppp_channel_index" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "ppp_register_channel" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "hdlc_close" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "hdlc_start_xmit" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "ppp_input" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s ERROR: modpost: "ppp_input_error" [/usr/src/modules/dahdi/drivers/dahdi/dahdi.ko] undefined! 178s WARNING: modpost: suppressed 3 unresolved symbol warnings because there were too many) 178s make[4]: *** [/usr/src/linux-headers-6.4.0-1-common/scripts/Makefile.modpost:136: /usr/src/modules/dahdi/drivers/dahdi/Module.symvers] Error 1 178s make[3]: *** [/usr/src/linux-headers-6.4.0-1-common/Makefile:2003: modpost] Error 2 > While updating d/dkms.conf.in, you can probably drop CONFIG_PCI from > BUILD_EXCLUSIVE_CONFIG (and update the comment) CONFIG_PCI is a pre-condition to just about any DAHDI card there except the USB devices (see drivers/dahdi/Kbuild). Will update comment. > and > switch from BUILD_EXCLUSIVE_KERNEL=...(regex)... to the more readable > BUILD_EXCLUSIVE_KERNEL_MIN="5.6" (supported since dkms in trixie). I want to make the job for backporters easy, so I'll avoid this feature for now. -- Tzafrir -- mail / xmpp / matrix: tzaf...@cohens.org.il
Bug#1012316: dahdi-dkms: fails to build modules for Linux 5.17
There are tons of warnings The actual error is: On Fri, Jun 03, 2022 at 10:23:00PM +0200, Andreas Beckmann wrote: > /var/lib/dkms/dahdi/2.11.1.0.20170917~dfsg-7.5/build/drivers/dahdi/xpp/xbus-core.c: > In function 'xbus_read_proc_open': > /var/lib/dkms/dahdi/2.11.1.0.20170917~dfsg-7.5/build/drivers/dahdi/xpp/xbus-core.c:1841:50: > error: implicit declaration of function 'PDE_DATA'; did you mean > 'NODE_DATA'? [-Werror=implicit-function-declaration] > 1841 | return single_open(file, xbus_proc_show, PDE_DATA(inode)); > | ^~~~ > | NODE_DATA that is also used in several other places in the code. Need to use pde_data() in 5.17. I wrote a patch, and then noticed that the build also fails with 5.18: CC [M] /home/tzafrirc/Proj/Salsa/pkg-voip/dahdi-linux/dahdi-linux/drivers/dahdi/wctdm.o /home/tzafrirc/Proj/Salsa/pkg-voip/dahdi-linux/dahdi-linux/drivers/dahdi/wctdm.c: In function ‘wctdm_init_one’: /home/tzafrirc/Proj/Salsa/pkg-voip/dahdi-linux/dahdi-linux/drivers/dahdi/wctdm.c:2657:21: error: implicit declaration of function ‘pci_alloc_consistent’ [-Werror=implicit-function-declaration] 2657 |wc->writechunk = pci_alloc_consistent(pdev, DAHDI_MAX_CHUNKSIZE * 2 * 2 * 2 * 4, >writedma); | ^~~~ /home/tzafrirc/Proj/Salsa/pkg-voip/dahdi-linux/dahdi-linux/drivers/dahdi/wctdm.c:2657:19: warning: assignment to ‘volatile unsigned int *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion] 2657 |wc->writechunk = pci_alloc_consistent(pdev, DAHDI_MAX_CHUNKSIZE * 2 * 2 * 2 * 4, >writedma); | ^ /home/tzafrirc/Proj/Salsa/pkg-voip/dahdi-linux/dahdi-linux/drivers/dahdi/wctdm.c:2677:5: error: implicit declaration of function ‘pci_free_consistent’ [-Werror=implicit-function-declaration] 2677 | pci_free_consistent(pdev, DAHDI_MAX_CHUNKSIZE * 2 * 2 * 2 * 4, (void *)wc->writechunk, wc->writedma); | ^~~ cc1: some warnings being treated as errors BTW: as of two days ago or so, the official git repository and potentially maybe also the bug tracker for dahdi-linux and dahdi-tools are in Github: https://github.com/asterisk/dahdi-linux https://github.com/asterisk/dahdi-tools I'm not completely sure what this means about requirements for CLA. -- mail / xmpp / matrix: tzaf...@cohens.org.il
Bug#1008818: why is this rpm's fault?
On Mon, Apr 18, 2022 at 06:32:07PM +0200, Thomas Lange wrote: > > On Mon, 18 Apr 2022 16:16:18 +0300, Peter Pentchev > > said: > > > > If you run sudo without the "set_home" option, thus making it preserve > > the HOME environment variable, rpm run as root with HOME set to > > /home/something will indeed do the wrong thing. > I have no set_home entry in /etc/sudoers and everything in > /etc/sudo.conf is commented out. > > Here's a test: > > As normal user > $ export HOME=/tmp/b > $ sudo rpm -qa > > This still creates /root/.rpmdb > and not > /tmp/b/.rpmdb $ HOME=/tmp/b sudo rpm -q rpm; ls -a /tmp/b package rpm is not installed ls: cannot access '/tmp/b': No such file or directory $ HOME=/tmp/b sudo -E rpm -q rpm; ls -a /tmp/b package rpm is not installed . .. .rpmdb -- mail / xmpp / matrix: tzaf...@cohens.org.il
Bug#1005715: dahdi-linux: autopkgtest suggests breakage due to new linux kernel
See patch in https://issues.asterisk.org/jira/browse/DAHLIN-397 -- mail / xmpp / matrix: tzaf...@cohens.org.il
Bug#982389: dahdi-dkms: installer package must be in contrib
This script is part of the separate non-free dahdi-firmware package. It should not be part of DAHDI-linux and can be removed if it is. If dahdi-dkms is not co-installable with dahdi-firmware, it is probably a bug. -- Tzafrir
Bug#969072: dahdi-tools FTBFS on armel/mipsel/hppa/powerpc: pre-grohtml: fatal error: cannot create temporary file: File exists
Hi, On abel in a armel chroot the issue is reproduced by running: man -Thtml even on an empty man page. Right now you can try: $ schroot -r -c session:tzafrir-dahdi-tools -- man -Thtml ~tzafrir/test.8 >/dev/null pre-grohtml: fatal error: cannot create temporary file: File exists man: command exited with status 1: /usr/lib/man-db/zsoelim | /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | tbl | groff -mandoc -Thtml Not reproduced in a armhf chroot there or in a qemu armel chroot on my laptop. -- Tzafrir
Bug#957470: FTBFS Bugs in Debian revdeps dahdi-tools and libpri
On 19/08/2020 12:31, Bernhard Schmidt wrote: Hi Tzafrir, could you have a look at Bug#957117 and #957470? They are causing Asterisk to be removed from testing. Uploaded a fix for dahdi-tools. As for libpri: this is basically using index from data[0] that is the end of the header. My "fix" is to silence those checks (see patches). There hopefully seems to be some upstream work, but I'm not sure how long it would take. -- Tzafrir ~/Proj/Salsa/pkg-voip/libpri/libpri/libpri-gerrit ~/Proj/Salsa/hpc/perftest/perftest ~/Proj/Salsa/pkg-voip/libpri/libpri/libpri-gerrit diff --git a/Makefile b/Makefile index 077b8bf..825a6fe 100644 --- a/Makefile +++ b/Makefile @@ -70,6 +70,7 @@ CFLAGS ?= -g CFLAGS += $(CPPFLAGS) CFLAGS += -Wall -Werror -Wstrict-prototypes -Wmissing-prototypes CFLAGS += -fPIC $(ALERTING) $(LIBPRI_OPT) $(COVERAGE_CFLAGS) +CFLAGS += -Wno-zero-length-bounds -Wno-stringop-overflow INSTALL_PREFIX=$(DESTDIR) INSTALL_BASE=/usr libdir?=$(INSTALL_BASE)/lib
Bug#952061: marked as pending in ibsim
Control: tag -1 pending Hello, Bug #952061 in ibsim reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/hpc-team/ibsim/-/commit/5778172e6e5892568325a0aad55b3be89e24c981 New upstream release: 0.9 (Closes: #952061) Switched to the newer releases that now build with rdma-core. (this message was generated automatically) -- Greetings https://bugs.debian.org/952061
Bug#952061: Info received (Bug#952061: ibsim: FTBFS: umad2sim.c:110:30: error: ‘UMAD_DEV_DIR’ undeclared here (not in a function))
Hi, I had little time to work on this, but as it happened, I submitted a pull request with deb packaging (internal) to the Github project and tested its building. It builds indeed fine with rdma-core, it seems. -- Tzafrir
Bug#952061: ibsim: FTBFS: umad2sim.c:110:30: error: ‘UMAD_DEV_DIR’ undeclared here (not in a function)
ibsim moved to Github. The specific error seems to have been fixed by https://github.com/linux-rdma/ibsim/commit/7bf171bab9c8bf3cc6c8f822bfcbd85570ca9abc The warning: likely fixed by https://github.com/linux-rdma/ibsim/commit/8625a69de7a319a0a1f3e4c86a0f14eda7e1612c Latest version there is 0.9 . TODO: update the package. -- Tzafrir
Bug#934384: libvma: FTBFS: some symbols or patterns disappeared
On 10/08/2019 17:46, Niko Tyni wrote: > Source: libvma > Version: 8.8.1.really.8.7.7-1 > Severity: serious > Tags: ftbfs > > This package fails to build on current sid/amd64. > >>From my build log: > > dpkg-gensymbols: warning: some new symbols appeared in the symbols file: > see diff output below > dpkg-gensymbols: error: some symbols or patterns disappeared in the symbols > file: see diff output below > dpkg-gensymbols: warning: debian/libvma8/DEBIAN/symbols doesn't match > completely debian/libvma8.symbols > --- debian/libvma8.symbols (libvma8_8.8.1.really.8.7.7-1_amd64) > +++ dpkg-gensymbolsBhlY4G 2019-08-10 14:41:41.948238949 + > @@ -542,7 +542,7 @@ > _ZN12sockinfo_tcp2rxE9rx_call_tP5ioveclPiP8sockaddrPjP6msghdr@Base > 8.8.1.really.8.7.7 > _ZN12sockinfo_tcp2txE9tx_call_tPK5iovecliPK8sockaddrj@Base > 8.8.1.really.8.7.7 > > _ZN12sockinfo_tcp30create_flow_tuple_key_from_pcbER10flow_tupleP7tcp_pcb@Base > 8.8.1.really.8.7.7 > - _ZN12sockinfo_tcp30return_reuse_buffers_postponedEv@Base > 8.8.1.really.8.7.7 > +#MISSING: 8.8.1.really.8.7.7-1# > _ZN12sockinfo_tcp30return_reuse_buffers_postponedEv@Base 8.8.1.really.8.7.7 > _ZN12sockinfo_tcp4bindEPK8sockaddrj@Base 8.8.1.really.8.7.7 > _ZN12sockinfo_tcp5fcntlEim@Base 8.8.1.really.8.7.7 > _ZN12sockinfo_tcp5ioctlEmm@Base 8.8.1.really.8.7.7 > [...] > dh_makeshlibs: failing due to earlier errors > make: *** [debian/rules:15: binary] Error 255 > dpkg-buildpackage: error: debian/rules binary subprocess returned exit > status 2 > Sorry for the delay. Working on this and will have a fix this week. -- Tzafrir
Bug#899446: update on hebrew packages addresses
Hi, Working on those. Almost all of those needed to be switched from SVN to Git as well. The new maitainer address will be that of the newly-created Hebrew team on tracker: https://tracker.debian.org/teams/hebrew/ (Except, maybe, for fribidi). FTR: Salsa group: https://salsa.debian.org/hebrew-team -- Tzafrir Cohen | Diasp: tzaf...@wk3.org | VIM is http://tzafrir.org.il | Matrix: t...@matrix.org | a Mutt's tzaf...@cohens.org.il | Mast: tzaf...@tooot.im | best tzaf...@debian.org|| friend
Bug#879043: dahdi-linux No longer compiled with m-a as of 4.13: unknown field ‘dev_attrs’
On Sat, Dec 30, 2017 at 11:47:21PM +0100, Bernhard Schmidt wrote: > On Wed, Oct 18, 2017 at 08:19:26PM +0300, Tzafrir Cohen wrote: > > Hi Tzafrir, > > > Version: 1:2.11.1.0.20170917~dfsg-1 > > Flags: patch upstream > > Forwarded: https://issues.asterisk.org/jira/browse/DAHLIN-356 > > Severity: grave > > > > As of kernel 4.13, build fails with the following error: > > Any update on this? The JIRA ticket seems to have a proposed patch > attached, but it's not merged yet. I pushed the fix to Upstream git. I don't think there's any upcoming version. So it looks like a new git snapshot will do (also for better hardware support). And then I noticed that it fails to build with 4.15. Can be fixed, but will require some more testing. I think I'll try to get this through before 4.15 gets into Unstable: https://issues.asterisk.org/jira/browse/DAHLIN-359 -- Tzafrir Cohen +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#884345: asterisk: CVE-2017-17664: Remote Crash Vulnerability in RTCP Stack
control: found -1 1:13.14.1~dfsg-2+deb9u2 Thanks. This applies only to Asterisk >= 13. It does apply to the version in Stable, though not to the version in oldstable. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend
Bug#879043: dahdi-linux No longer compiled with m-a as of 4.13: unknown field ‘dev_attrs’
Package: Justin Hallett <the...@me.com> Version: 1:2.11.1.0.20170917~dfsg-1 Flags: patch upstream Forwarded: https://issues.asterisk.org/jira/browse/DAHLIN-356 Severity: grave As of kernel 4.13, build fails with the following error: CC [M] /usr/src/modules/dahdi/drivers/dahdi/dahdi-sysfs.o /usr/src/modules/dahdi/drivers/dahdi/dahdi-sysfs.c:273:2: error: unknown field ‘dev_attrs’ specified in initializer .dev_attrs = span_dev_attrs, ^ /usr/src/modules/dahdi/drivers/dahdi/dahdi-sysfs.c:273:15: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types] .dev_attrs = span_dev_attrs, ^~ /usr/src/modules/dahdi/drivers/dahdi/dahdi-sysfs.c:273:15: note: (near initialization for ‘spans_bus_type.probe’) /usr/src/modules/dahdi/drivers/dahdi/dahdi-sysfs.c:711:2: error: unknown field ‘dev_attrs’ specified in initializer .dev_attrs = dahdi_device_attrs, ^ /usr/src/modules/dahdi/drivers/dahdi/dahdi-sysfs.c:711:15: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types] .dev_attrs = dahdi_device_attrs, ^~ -- Tzafrir Cohen +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#872760: asterisk-opus: uninstallable in unstable
Hi, On Mon, Aug 21, 2017 at 12:07:40AM +0200, Jonas Smedegaard wrote: > Hi Sam, > > Quoting Sam Hartman (2017-08-20 23:24:25) > > The asterisk package in unstable provides > > asterisk-1fb7f5c06d7a2052e38d021b3d8ca151 > > > > but asterisk-opus depends on asterisk-fa819827cbff2ea35341af5458859233 > > > > It looks like this is a system that is very locked to the specific > > build of asterisk. Asterisk calculates a checksum of some of its build properties at build time. This checksum is built into the module loader and normally modules fail to load if the version of Asterisk at run-time is different than the one used to build it. Normally the checksum does not change. In fact, the rules file of the Debian packaging includes a copy of it and checks that it didn't change. Some time in the 13 cycle the calculation of the checksum changed to avoid including some irrelevant functions, and thus the checksum is different from the Stable version. > The tight dependency is build-time only: Generally a BinNMU is adequate. Right. -- Tzafrir Cohen +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
On Fri, Jan 06, 2017 at 01:37:58PM +, Holger Levsen wrote: > Hi Tzafrir, > > On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote: > > The version in Jessie-backports seems to be the only one affected by it. > > will you upload a fixed version to jessie-bpo or should I? (I'd be happy > if you did, but I was the person introducing mock to bpo, so I'd take > responsibility and fix, if needed.) I prepared a version in the branch jessie-backports in git[1]. It seems to work OK here. I don't hae my key in the backports keyring, so I prefer that you upload it. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend
Bug#850320: mock: CVE-2016-6299: privilige escalation via mock-scm
My initial reading into this: neither the version in Stable (1.1.33-1) nor the version in Testing / Unstable (1.3.2-1) is volnurable. Not closing yet as I want to test this better. The version in Jessie-backports seems to be the only one affected by it. Impact: mock is a chroot building serer. You feed it with RPM source packages and they get built in chroots (that it creates). Package specifications may generally include various forms of executable code. The builder runs the builds as a non-root user. The issue was that the rpm spec file was evaluated accidentally as root. This issue was fixed upstream just before 1.2.22, and that fix is included in the current version (1.3.2). In 1.1.33 the parsing seems to be done before after temporarily dropping super-user privileges at startup. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend
Bug#847666: asterisk: AST-2016-008: Crash on SDP offer or answer from endpoint using Opus
On Sat, Dec 10, 2016 at 03:52:26PM +0100, Salvatore Bonaccorso wrote: > Source: asterisk > Version: 1:13.12.2~dfsg-1 > Severity: grave > Tags: security upstream patch > Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-26579 > > Hi > > AST-2016-008 was announced at > > http://downloads.asterisk.org/pub/security/AST-2016-008.html > > referencing patches as well for the 13.x release series. > > https://issues.asterisk.org/jira/browse/ASTERISK-26579 The patch does not seem to apply to the Debian package due to opus.patch. It seems however that the original issue likewise doesn't, as the code from opus.patch uses a different parsing of the Opus SDP headers. Attached a sipp scenario that crashes an unpatched upstream asterisk 13.13.0: sipp 127.0.0.1:5060 -sf SDP.xml -m 1 If anyone wants to give a second look to opus.patch (and maybe also amr.patch . vp8.patch looks more self-contained). The relevant upstream code must have had some extra checks at this point. Could someone else please double-check before closing this one? (But yes, there's still AST-2016-009 in another open bug) -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com sipp-AST-2016-008.xml Description: XML document
Bug#842917: asterisk builds with -march=native
tag 842917 +pending thanks Also, On Wed, Nov 02, 2016 at 12:23:11PM +0200, Adrian Bunk wrote: > Source: asterisk > Version: 1:13.11.2~dfsg-1 > Severity: grave > > https://buildd.debian.org/status/fetch.php?pkg=asterisk=amd64=1:13.11.2~dfsg-1=1477641275 > > ... > checking for -march=native support... yes > ... For the record: The Asterisk configure script checks for -march=native regardless of whether or not it will be used later. So to see if this issue re-appears, check for -march=native in the build command itself and ignore the line above in the configure script output. Thanks for your report. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#831179: pjproject: FTBFS with GCC 6: dh_makeshlibs: failing due to earlier errors
On Thu, Jul 14, 2016 at 10:06:57AM +0200, Lucas Nussbaum wrote: > Source: pjproject > Version: 2.5.1~dfsg-2 > Severity: serious > Tags: stretch sid > User: debian...@lists.debian.org > Usertags: qa-ftbfs-20160713 qa-ftbfs > Justification: FTBFS with GCC 6 on amd64 Thanks for the report. So at first glance: it builds fine but the C++ ABI has changed (most of the pjproject libraries are C, with a single C++ library). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#793094: pjproject: FTBFS: some symbols or patterns disappeared in the symbols file
On Fri, Oct 30, 2015 at 03:52:56PM +0100, Emilio Pozuelo Monfort wrote: > This a is friendly ping wrt the libstdc++ ABI transition. Your package is > listed > as needing a transition but has seen no action. It'd be good to get things > going > so we can finish the transition soon. Thanks for the reminder. I pushed some changes to the git repo. I hope to upload a package this weekend. pjproject is largely a C library with a single C++ library (libsua2 - the binary package libsua2-2). I decided to bump the soname of that lirary alone (libpjsua2-2v5). -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend
Bug#801535: asterisk: FTBFS in sid: linker errors due to missing B-D
On Sun, Oct 11, 2015 at 11:34:32PM +0200, Jonas Smedegaard wrote: > Quoting Andreas Beckmann (2015-10-11 22:58:11) > > asterisk FTBFS in sid: > > > > [...] > > x86_64-linux-gnu-gcc -o pjsip/dialplan_functions.o -c > > pjsip/dialplan_functions.c -MD -MT pjsip/dialplan_functions.o -MF > > .pjsip_dialplan_functions.o.d -MP -pthread > > -I/tmp/buildd/asterisk-13.1.0~dfsg/include -fgnu89-inline -g -O2 -fPIE > > -fstack-protector-strong -Wformat -Werror=format-security > > -D_FORTIFY_SOURCE=2 -I/usr/include/libxml2 -pipe -Wall > > -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -fPIC > > -DAST_MODULE=\"chan_pjsip\" -DPJ_AUTOCONF=1 -DPJ_IS_BIG_ENDIAN=0 > > -DPJ_IS_LITTLE_ENDIAN=1 -DOPENSSL_NO_SSL2=1 > > /tmp/buildd/asterisk-13.1.0~dfsg/build_tools/make_linker_version_script > > chan_pjsip "" "/tmp/buildd/asterisk-13.1.0~dfsg" > > x86_64-linux-gnu-gcc -o chan_pjsip.so -pthread -fPIE -pie -Wl,-z,relro > > -Wl,-z,now-shared -Wl,--version-script,chan_pjsip.exports,--warn-common > > chan_pjsip.o pjsip/dialplan_functions.o -lpjsua2 -lstdc++ -lpjsua > > -lpjsip-ua -lpjsip-simple -lpjsip -lpjmedia-codec -lpjmedia > > -lpjmedia-videodev -lpjmedia-audiodev -lpjmedia -lpjnath -lpjlib-util > > -lsrtp -lpj -lm -lrt -lpthread -lSDL2 -lavformat-ffmpeg -lavcodec-ffmpeg > > -lswscale-ffmpeg -lavutil-ffmpeg -lv4l2 -lopencore-amrnb -lopencore-amrwb > > /usr/bin/ld: cannot find -lSDL2 > > /usr/bin/ld: cannot find -lavformat-ffmpeg > > /usr/bin/ld: cannot find -lavcodec-ffmpeg > > /usr/bin/ld: cannot find -lswscale-ffmpeg > > /usr/bin/ld: cannot find -lavutil-ffmpeg > > /usr/bin/ld: cannot find -lv4l2 > > /usr/bin/ld: cannot find -lopencore-amrnb > > /usr/bin/ld: cannot find -lopencore-amrwb > > collect2: error: ld returned 1 exit status > > > > These seem to be several Build-Depends missing, e.g. libsdl2-dev, libv4l-dev > > and the ffmpeg bits seem to have been reorganized as well. > > I suspect ig might be pjsip growing dependencies on those libraries and > injecting linkage flags into Asterisk, but instead of actively avoiding > those it seems more sensible to me to consider solving bug#531728. You are right. The git version of pjsip should look better. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#795825: asterisk: FTBFS on amd64 arm64 ppc64el: /usr/bin/ld: cannot find -lSDL2 (and others)
reassign 795825 libpjproject-dev thanks On Mon, Aug 17, 2015 at 10:08:18AM +0100, Simon McVittie wrote: Source: asterisk Version: 1:13.1.0~dfsg-1.1 Severity: serious Justification: fails to build from source (but built successfully in the past) When asterisk was binNMU'd for the libvpb1 transition, it failed to build from source on amd64, arm64 and ppc64el: https://buildd.debian.org/status/package.php?p=asterisk /«PKGBUILDDIR»/build_tools/make_linker_version_script chan_pjsip /«PKGBUILDDIR» x86_64-linux-gnu-gcc -o chan_pjsip.so -pthread -fPIE -pie -Wl,-z,relro -Wl,-z,now-shared -Wl,--version-script,chan_pjsip.exports,--warn-common chan_pjsip.o pjsip/dialplan_functions.o -lpjsua2 -lstdc++ -lpjsua -lpjsip-ua -lpjsip-simple -lpjsip -lpjmedia-codec -lpjmedia -lpjmedia-videodev -lpjmedia-audiodev -lpjmedia -lpjnath -lpjlib-util -lsrtp -lpj -lm -lrt -lpthread -lSDL2 -lavformat-ffmpeg -lavcodec-ffmpeg -lswscale-ffmpeg -lavutil-ffmpeg -lv4l2 -lopencore-amrnb -lopencore-amrwb /usr/bin/ld: cannot find -lSDL2 /usr/bin/ld: cannot find -lavformat-ffmpeg /usr/bin/ld: cannot find -lavcodec-ffmpeg /usr/bin/ld: cannot find -lswscale-ffmpeg /usr/bin/ld: cannot find -lavutil-ffmpeg /usr/bin/ld: cannot find -lv4l2 /usr/bin/ld: cannot find -lopencore-amrnb /usr/bin/ld: cannot find -lopencore-amrwb collect2: error: ld returned 1 exit status I don't know what's different about those three architectures. They're all 64-bit, but so is s390x, which built successfully. Those dependencies should be set by libpjproject-dev. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#793094: pjproject: FTBFS: some symbols or patterns disappeared in the symbols file
On Mon, Aug 03, 2015 at 07:52:36AM +0200, Tzafrir Cohen wrote: Thanks for your report, On Tue, Jul 21, 2015 at 11:23:33AM +0200, Jakub Wilk wrote: Source: pjproject Version: 2.4~dfsg-1 Severity: serious Justification: fails to build from source pjproject FTBFS on 32-bit architectures: I originally thought it's a 32 bits issue. But what about s390x, alpha and ppc64? Specifically this is the second issue (see below). |dh_makeshlibs -a | dpkg-gensymbols: warning: some libraries disappeared in the symbols file: libpjsip-simple.so.2 libpjsua.so.2 libpjmedia-codec.so.2 libpjlib-util.so.2 libpjsip-ua.so.2 libpjsip.so.2 libpjnath.so.2 libpjmedia-videodev.so.2 libpjmedia.so.2 libpjmedia-audiodev.so.2 libpj.so.2 | dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see diff output below | dpkg-gensymbols: warning: some symbols or patterns disappeared in the symbols file: see diff output below | dpkg-gensymbols: warning: debian/libpjsua2-2/DEBIAN/symbols doesn't match completely debian/libpjsua2-2.symbols | --- debian/libpjsua2-2.symbols (libpjsua2-2_2.4~dfsg-1_i386) | +++ dpkg-gensymbols2_HFSS 2015-07-20 23:22:51.722478229 + | @@ -1,2152 +1,3 @@ | -libpj.so.2 libpjsua2-2 #MINVER# | - PJ_AF_INET6@Base 2.4~dfsg | - PJ_AF_INET@Base 2.4~dfsg | - PJ_AF_IRDA@Base 2.4~dfsg | - PJ_AF_PACKET@Base 2.4~dfsg Those symbols seem to actually come from libpj. I guess that the symbols file there is broken: it contains a host of symbols from other sub-packages. Fixed in git. Now to the likes of: - _ZN2pj10StreamInfoD1Ev@Base 2.4~dfsg - _ZN2pj10StreamInfoD2Ev@Base 2.4~dfsg This is originally: pjsip/include/pjsua2/call.hpp:struct StreamInfo I see that many structs defined in pjsua2 created constructors and now they don't. - _ZN2pj15writeSipHeadersERNS_13ContainerNodeERKSsRKSt6vectorINS_9SipHeaderESaIS5_EE@Base 2.4~dfsg + _ZN2pj15writeSipHeadersERNS_13ContainerNodeERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEERKSt6vectorINS_9SipHeaderESaISB_EE@Base 2.4.5~dfsg-1 Seems to be a C++11 issue. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend
Bug#794313: removing all dahdi-extra modules [was: Re: Bug#794313: dahdi: DAHDI-modules build fails]
On Mon, Aug 10, 2015 at 12:07:10PM +0700, Igor Liferenko wrote: Hi all, The problem is that current dahdi-source package does not support Linux 4 (The bug was accidentally filed on the packagee 'dahdi', that is from a different source package) The build starts to work with this: http://downloads.asterisk.org/pub/telephony/dahdi-linux/dahdi-linux-2.10.2.tar.gz Everything compiles fine, except wcopenpci.c (and others) in patches/dahdi_linux_extra (I removed drivers/dahdi/Kbuild from patches/dahdi_linux_extra while testing): /usr/src/modules/dahdi/drivers/dahdi/wcopenpci.c: In function ‘openpci_probe_board’: /usr/src/modules/dahdi/drivers/dahdi/wcopenpci.c:1675:42: error: ‘DAHDI_IRQ_SHARED’ undeclared (first use in this function) if (request_irq(pdev-irq, openpci_isr, DAHDI_IRQ_SHARED, NAME, wc)) { This was generally simple enough to fix, however I don't have the relevant hardware to test with. Thus for now I'll drop support for all extra drivers and leave only the OSLEC (echo) module there. If you[1] need support for any other driver (and have the card for some minimal smoke tests) please either contact me directly or file a bug report on src:dahdi-linux or dahdi-source. Alternatively, if you still use such driver but are not able to test it, contact me so I'll know that there is some demand for those drivers. [1] The general public, not just the submitter of this bug. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com
Bug#793094: pjproject: FTBFS: some symbols or patterns disappeared in the symbols file
~dfsg | _ZTI10PendingLog@Base 2.4~dfsg | Use of uninitialized value in numeric eq (==) at /usr/bin/dh_makeshlibs line 270. | dh_makeshlibs: failing due to earlier errors | make: *** [binary-arch] Error 2 This is a different issue: C++ symbols mangaled differently on different architectures. Need to look into this one. Full build logs: https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=armelver=2.4%7Edfsg-1stamp=1437436756 https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=armhfver=2.4%7Edfsg-1stamp=1437438639 https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=i386ver=2.4%7Edfsg-1stamp=1437434574 https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=kfreebsd-i386ver=2.4%7Edfsg-1stamp=1437437994 https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=mipsver=2.4%7Edfsg-1stamp=1437438361 https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=mipselver=2.4%7Edfsg-1stamp=1437445855 https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=powerpcver=2.4%7Edfsg-1stamp=1437435603 https://buildd.debian.org/status/fetch.php?pkg=pjprojectarch=sparcver=2.4%7Edfsg-1stamp=1437452748 Note that the first issue also appeared in most (all?) the successful builds. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#777829: still there
On Sat, Jun 27, 2015 at 03:32:22PM -0400, Martin Michlmayr wrote: reopen 777829 found 777829 1:2.10.2-1 thanks * Debian Bug Tracking System ow...@bugs.debian.org [2015-06-26 13:24]: dahdi-tools (1:2.10.2-1) unstable; urgency=medium . * New upstream release: - Removed bashism from udev hook script (Closes: #772229). - Builds fine with GCC 5 (Closes: #777829). The particular line that causes the error (warning but -Werror is enabled) hasn't changed, and 2.10.2-1 still fails to build with GCC 5. My mistake. Fix applied upstream but after the release of 2.10.2. Patching. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781651: konsole: Console cursor loses focus after switching between windows
On Wed, Apr 01, 2015 at 11:08:48AM +0100, Jaap Eldering wrote: Since upgrading to Jessie, I have the same problem. I'm not sure exactly when it started. I run plain openbox as window manager, but the same problem also appears when I use Xfce or failsafe-xterm. icewm here. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#771463: CVE-2014-8418 CVE-2014-8412 CVE-2014-8414 CVE-2014-8417
On Sat, Nov 29, 2014 at 10:33:31PM +0100, Moritz Muehlenhoff wrote: Source: asterisk Severity: grave Tags: security Please see http://downloads.digium.com/pub/security/AST-2014-018.html http://downloads.digium.com/pub/security/AST-2014-017.html http://downloads.digium.com/pub/security/AST-2014-014.html http://downloads.digium.com/pub/security/AST-2014-012.html 012 was already fixed (in a version uploaded to Unstable, but didn't stay there long enough). Sadly Unstable has Asterisk 13, and thus those need to be pushed directly to Jessie. I created a Jessie branch in git with those fixes. Sadly I didn't have the time to properly document them. Feel free to upload it. For Unstable, I guess a new upstream release is needed (due to the same security issues. And even more: many issues in chan_pjsip). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689109: Bug#685540: asterisk-flite, asterisk-espeak: binnmu required
Hi Jonas, On Wed, Nov 14, 2012 at 12:33:26PM +0100, Jonas Smedegaard wrote: Quoting Tzafrir Cohen (2012-11-13 18:00:30) Indeed this is fixable through a binNMU. Yes, but release managers disapprove of simple binNMUs covering over the underlying problem, as I wrote earlier: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685540#20 The proper fix is this combo: 1) File bugreport against asterisk-dev about broken/missing hints about shared library. 2) Fix bug filed in 1). Asterisk now provides asterisk-hash-of-build-options. This includes the version. A module can safely depend on those (but it should be updated on backporting). Would you mind fixing the packages (asterisk-flite, and asterisk-espeak)? Would you like me to? The new upstream release also fixes building with asterisk-11 and asterisk-13 (a separate bug filed). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766974: asterisk-espeak: FTBFS: fails to build with asterisk 13. Use latest version
Source: asterisk-espeak Version: 2.1-1+b1 Severity: grave asterisk-espeak fails to build with asterisk 13: gcc -pipe -fPIC -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o app_espeak.o app_espeak.c app_espeak.c: In function ‘espeak_exec’: app_espeak.c:219:13: error: dereferencing pointer to incomplete type if (chan-_state != AST_STATE_UP) ^ app_espeak.c:221:47: error: dereferencing pointer to incomplete type res = ast_streamfile(chan, cachefile, chan-language); ^ app_espeak.c:224:12: error: dereferencing pointer to incomplete type chan-name); ^ app_espeak.c:331:10: error: dereferencing pointer to incomplete type if (chan-_state != AST_STATE_UP) ^ app_espeak.c:333:43: error: dereferencing pointer to incomplete type res = ast_streamfile(chan, raw_name, chan-language); ^ app_espeak.c:335:67: error: dereferencing pointer to incomplete type ast_log(LOG_ERROR, eSpeak: ast_streamfile failed on %s\n, chan-name); ^ Makefile:38: recipe for target 'app_espeak.o' failed make: *** [app_espeak.o] Error 1 This seems to have been fixed by upstream in https://github.com/zaf/Asterisk-eSpeak/commit/bf0c07f59b0b62a609a1e94dff40171c09f16e5d I would suggest to get the latest upstream version, which is verified to build with Asterisk 13. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766975: asterisk-flite: FTBFS: fails to build with asterisk 13. Use latest version
Source: asterisk-flite Version: 2.1-1.1 Severity: grave asterisk-flite fails to build with asterisk 13: gcc -pipe -fPIC -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o app_flite.o app_flite.c app_flite.c: In function ‘flite_exec’: app_flite.c:168:13: error: dereferencing pointer to incomplete type if (chan-_state != AST_STATE_UP) ^ app_flite.c:170:47: error: dereferencing pointer to incomplete type res = ast_streamfile(chan, cachefile, chan-language); ^ app_flite.c:173:12: error: dereferencing pointer to incomplete type chan-name); ^ app_flite.c:239:10: error: dereferencing pointer to incomplete type if (chan-_state != AST_STATE_UP) ^ app_flite.c:241:43: error: dereferencing pointer to incomplete type res = ast_streamfile(chan, tmp_name, chan-language); ^ app_flite.c:243:66: error: dereferencing pointer to incomplete type ast_log(LOG_ERROR, Flite: ast_streamfile failed on %s\n, chan-name); ^ Makefile:38: recipe for target 'app_flite.o' failed make: *** [app_flite.o] Error 1 This seems to have been fixed by upstream in https://github.com/zaf/Asterisk-Flite/commit/ee1b1a88b96dddf7a85f0f7b854501ecdcee1765 I would suggest to get the latest upstream version, which is verified to build with Asterisk 13. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#759576: sflphone does not start
Hi, On Thu, Aug 28, 2014 at 01:07:12PM -0500, Carlos Prieto wrote: Source: sflphone Severity: grave Justification: renders package unusable Dear Maintainer, * What led up to the situation? I tried to start sflphone, from the graphic interface and from the command line. * What exactly did you do (or not do) that was effective (or ineffective)? The program did not start. * What was the outcome of this action? The console kept waiting for about 20 seconds. After that, the shell prompt started again, without any message. * What outcome did you expect instead? The program should start Thanks for your report According to Upstream, this issue has been fixed in version 1.4.0. Version 1.4.1 should be released in a few days and it makes sense to wait for it. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#705690: up-to-date packaging for libuser
On Mon, Apr 28, 2014 at 09:46:22AM +0200, Tzafrir Cohen wrote: Hi, It seems that libuser has not recieved any decent maintinance in recent years. As its removal will remove my package (mock), I tried fixing this bug. It turned out to be more complicated than I thought, and I ended up recreating the packaging altogether. See libuser.git on collab-maint: http://anonscm.debian.org/gitweb/?p=collab-maint/libuser.git I refreshed that repository (this will require forced update, if you already checked out that package). I used git-dpm this time (it looked interesting and I wanted to give it a shot). I marked myself as uploader in order to silent Lintian. Though if there are any objections to that, I don't have any issues with removing it. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#705690: up-to-date packaging for libuser
Hi, It seems that libuser has not recieved any decent maintinance in recent years. As its removal will remove my package (mock), I tried fixing this bug. It turned out to be more complicated than I thought, and I ended up recreating the packaging altogether. See libuser.git on collab-maint: http://anonscm.debian.org/gitweb/?p=collab-maint/libuser.git -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732355: asterisk: Two Asterisk security issues
On Tue, Dec 17, 2013 at 06:17:09PM +0100, Moritz Muehlenhoff wrote: On Tue, Dec 17, 2013 at 05:55:14PM +0200, Tzafrir Cohen wrote: On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security Hi, please see http://downloads.asterisk.org/pub/security/AST-2013-006.html and http://downloads.asterisk.org/pub/security/AST-2013-007.html Looking at them. At first glance: both of them also affect 1.6.2 from old-stable. AST-2013-007 introduces a new configuration item and we have to see what the sane default for it should be. I think we should follow upstream and keep live_dangerously activated We can add a note to the advisory what setting must be tweaked. Attached are debdiffs for oldstable and stable uploads. I couldn't find CVE entries. I added an extra bug fix to help me patch the issue, for a bug that is marginally a remote crash bug: https://issues.asterisk.org/jira/browse/ASTERISK-20658 (Asterisk Realtime means getting some of Asterisk's configuration from a database) More on AST-2013-007: (maybe shorten it a bit?) Asterisk employs in its dialplan and varois other places a syntax for varable expantion: ${VAR} expands the value of ${VAR}. Similarly there are also some functions that use a similar syntax: ${RANDOM(5)} or ${CUT(20-30-40,-,2)}. Some are more potent, however such as SHELL (run a shell command and return the output). The variables were primarily meant for the Asterisk dialplan, but may be accessed through several other interfaces. For instance, the AMI (Asterisk Manager Interface) provides a GetVar command. This will also expand functions. With the fix for AST-2013-007, a new knob was added in order to allow the system adminitrator to disable expantion of dangerous functions (such as SHELL()) from any interface which is not the dialplan. In Stable and Oldstable this knob is disabled by default. To enable it add the following line to the section '[options]' in /etc/asterisk/asterisk.conf (and restart asterisk) live_dangerously = no -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732355: asterisk: Two Asterisk security issues
On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security Hi, please see http://downloads.asterisk.org/pub/security/AST-2013-006.html and http://downloads.asterisk.org/pub/security/AST-2013-007.html Looking at them. At first glance: both of them also affect 1.6.2 from old-stable. AST-2013-007 introduces a new configuration item and we have to see what the sane default for it should be. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#721220: asterisk: CVE-2013-5641 CVE-2013-5642
On Thu, Aug 29, 2013 at 07:30:06PM +0300, Tzafrir Cohen wrote: On Thu, Aug 29, 2013 at 10:20:53AM +0200, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security Justification: user security hole Please see http://downloads.asterisk.org/pub/security/AST-2013-004.html and http://downloads.asterisk.org/pub/security/AST-2013-005.html These affect oldstable and stable. Can you please prepare updates for stable-security? I've uploaded the fixes to the new git repo, branches wheezy and squeeze. See http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git which right now gives me 503 - The load average on the server is too high. Uploaded to Wheezy. Still waiting a bit with the Squeeze upload in hope for the promised feedback. Will upload if there is none. I prepared an upload to Unstable, but it is currently uninstallable due to the dependency on libsnmp30 (depends on libperl5.14, but libperl5.18 is in the system). I didn't see any open bug about this, but I guess this is part of the perl transition. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#721220: asterisk: CVE-2013-5641 CVE-2013-5642
On Thu, Aug 29, 2013 at 10:20:53AM +0200, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security Justification: user security hole Please see http://downloads.asterisk.org/pub/security/AST-2013-004.html and http://downloads.asterisk.org/pub/security/AST-2013-005.html These affect oldstable and stable. Can you please prepare updates for stable-security? I've uploaded the fixes to the new git repo, branches wheezy and squeeze. See http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git which right now gives me 503 - The load average on the server is too high. Attached debdiffs of both versions. Upload? -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com diff -Nru asterisk-1.8.13.1~dfsg/debian/changelog asterisk-1.8.13.1~dfsg/debian/changelog --- asterisk-1.8.13.1~dfsg/debian/changelog 2013-04-09 13:23:13.0 +0300 +++ asterisk-1.8.13.1~dfsg/debian/changelog 2013-08-29 18:07:24.0 +0300 @@ -1,3 +1,13 @@ +asterisk (1:1.8.13.1~dfsg-3wheezy1) UNRELEASED; urgency=high + + * Patch AST-2013-004 (CVE-2013-5641): chan_sip: crash in ACK to SDP + * Patch AST-2013-005 (CVE-2013-5642): Fix crash caused by invalid SDP +(Closes: #721220). + * Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272). + * Update VCS links. + + -- Tzafrir Cohen tzaf...@debian.org Wed, 28 Aug 2013 23:40:03 +0300 + asterisk (1:1.8.13.1~dfsg-3) unstable; urgency=high * Rewrtote sip.conf parts of AST-2012-014: dropped patches diff -Nru asterisk-1.8.13.1~dfsg/debian/control asterisk-1.8.13.1~dfsg/debian/control --- asterisk-1.8.13.1~dfsg/debian/control 2012-03-18 06:00:13.0 +0200 +++ asterisk-1.8.13.1~dfsg/debian/control 2013-08-29 17:49:28.0 +0300 @@ -50,8 +50,8 @@ zlib1g-dev Standards-Version: 3.9.2.0 Homepage: http://www.asterisk.org/ -Vcs-Svn: svn://svn.debian.org/pkg-voip/asterisk/trunk/ -Vcs-Browser: http://svn.debian.org/wsvn/pkg-voip/asterisk/?op=log +Vcs-Git: git://anonscm.debian.org/pkg-voip/asterisk.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-voip/asterisk.git Package: asterisk Architecture: any diff -Nru asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-004 asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-004 --- asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-004 1970-01-01 02:00:00.0 +0200 +++ asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-004 2013-08-29 17:53:00.0 +0300 @@ -0,0 +1,39 @@ +From: Matthew Jordan mjor...@digium.com +Date: Tue, 27 Aug 2013 15:49:14 + +Subject: AST-2013-004: Fix crash when handling ACK on dialog that has no channel +Bug: https://issues.asterisk.org/jira/browse/ASTERISK-21064 +CVE: CVE-2013-5641 +Origin: http://svnview.digium.com/svn/asterisk?view=revrev=397710 + +A remote exploitable crash vulnerability exists in the SIP channel driver if an +ACK with SDP is received after the channel has been terminated. The handling +code incorrectly assumed that the channel would always be present. + +This patch adds a check such that the SDP will only be parsed and applied if +Asterisk has a channel present that is associated with the dialog. + +Note that the patch being applied was modified only slightly from the patch +provided by Walter Doekes of OSSO B.V. + +Reported by: Colin Cuthbertson +Tested by: wdoekes, Colin Cutherbertson +patches: + issueA21064_fix.patch uploaded by wdoekes (License 5674) + +Backported to 1.8.13.1 + +--- + channels/chan_sip.c |2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/channels/chan_sip.c b/channels/chan_sip.c +@@ -25292,7 +25292,7 @@ static int handle_incoming(struct sip_pv + p-invitestate = INV_TERMINATED; + p-pendinginvite = 0; + acked = __sip_ack(p, seqno, 1 /* response */, 0); +- if (find_sdp(req)) { ++ if (p-owner find_sdp(req)) { + if (process_sdp(p, req, SDP_T38_NONE)) + return -1; + } diff -Nru asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-005 asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-005 --- asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-005 1970-01-01 02:00:00.0 +0200 +++ asterisk-1.8.13.1~dfsg/debian/patches/AST-2013-005 2013-08-29 17:53:00.0 +0300 @@ -0,0 +1,66 @@ +From: Matthew Jordan mjor...@digium.com +Date: Tue, 27 Aug 2013 17:55:59 + +Subject: AST-2013-005: Fix crash caused by invalid SDP +Bug: https://issues.asterisk.org/jira/browse/ASTERISK-22007 +CVE: CVE-2013-5642 +Origin: http://svnview.digium.com/svn/asterisk?view=revrev=397756 + +If the SIP channel driver processes an invalid SDP that defines media +descriptions before connection information, it may attempt to reference +the socket address information even though that information has not yet +been set. This will cause a crash. + +This patch adds checks when handling the various media descriptions that +ensures the media descriptions are handled only if we have connection +information suitable
Bug#705425: asterisk: segmentation fault on start after upgrade from 1:1.8.13.1~dfsg-1 to 1:1.8.13.1~dfsg-3 (wheezy amd64)
On Thu, Apr 18, 2013 at 07:19:48PM +0200, Christian Lauinger wrote: Thank you Christian ! I downloaded the with apt-get source asterisk-chan-capi from unstable, patched it with the chan-capi-devstate-cachable.diff and build it like you described it. It also asked for dpkg-source --commit before it was possible to build it. Now my box is up and running with 1:1.8.13.1~dfsg-3 and asterisk-chan-capi. One test if you don't mind: merely rebuilding it vs. Asterisk -3 does not fix the issue, right? -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#705371: reviewboard-tools and python-rbtools: error when trying to install together
On Sat, Apr 13, 2013 at 10:57:34PM +0200, Jakub Wilk wrote: Package: reviewboard-tools,python-rbtools Severity: serious Tags: sid These two packages cannot be installed together due to file conflicts: Selecting previously unselected package python-rbtools. Unpacking python-rbtools (from .../python-rbtools_0.3.4-1_all.deb) ... Selecting previously unselected package reviewboard-tools. Unpacking reviewboard-tools (from .../reviewboard-tools_0.4.3-1_all.deb) ... dpkg: error processing /var/cache/apt/archives/reviewboard-tools_0.4.3-1_all.deb (--unpack): trying to overwrite '/usr/share/pyshared/rbtools/__init__.py', which is also in package python-rbtools 0.3.4-1 Errors were encountered while processing: /var/cache/apt/archives/reviewboard-tools_0.4.3-1_all.deb E: Sub-process /usr/bin/dpkg returned an error code (1) Regardless of the source package, rbtools is the client-side component whereas reviewboard-tools is the server-side component. Thus they belong in separate binary packages. Does the code of reviewboard-tools rely on the code of rbtools? -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003
On Fri, Apr 05, 2013 at 03:24:29PM +0200, Salvatore Bonaccorso wrote: Hi Tzafrir On Fri, Mar 29, 2013 at 06:53:31AM +0100, Salvatore Bonaccorso wrote: Hi Tzafrir On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote: On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote: Package: asterisk Severity: grave Tags: security patch upstream Hi, the following vulnerabilities were published for asterisk. CVE-2013-2685[0]: Buffer Overflow Exploit Through SIP SDP Header CVE-2013-2686[1]: Denial of Service in HTTP server CVE-2013-2264[2]: Username disclosure in SIP channel driver For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you doublecheck that squeeze, testing and wheezy are not affected? According to the Upstream advisories, both are in effect for 1.8 . Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to 1.6.2 in Stable. Thank you for confirming! (note my above comment was related only to one of the issues, CVE-2013-2685). Could you prepare updates to be included via unstable in wheezy? Ping? Did you had a chance to look at it already? Update: AST-2013-001 (CVE-2013-2685): Not applicable to either Stable or Testing/Unstable: new code not included yet even in 1.8. AST-2013-002 (CVE-2013-2686): Applies to Testing/Unstable but not to Stable: Testing/Unstable: see patch from Upstream. Stable: httpd code does not read HTTP POST variables. AST-2013-003 (CVE-2013-2264): Applies to both Testing and Unstable. Testing/Unstable: see patch from Upstream. Stable: Patch backported. For Unstable/Testing I include two other simple bug fixes. Both trivial backports from later 1.8.x reevisions. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704546: Segfault when starting asterisk 1:1.6.2.9-2+squeeze10
On Tue, Apr 02, 2013 at 08:53:19PM +0200, Michael Abmayer wrote: Package: asterisk Version: 1:1.6.2.9-2+squeeze10 Severity: Grave Hi, a few seconds after starting asterisk it crashes with a segfault - in a similar manner like with the squeeze9-packages. squeeze8 works well without any problems. What info do you need else for fixing, how can I help? Sincerly, Michael uname -a Linux logorrhoe 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 GNU/Linux cat /etc/debian_version 6.0.7 core follows: Core was generated by `asterisk -U asterisk -g -c'. Program terminated with signal 11, Segmentation fault. #0 0x7fafcddebf2a in strchrnul () from /lib/libc.so.6 (gdb) bt #0 0x7fafcddebf2a in strchrnul () from /lib/libc.so.6 #1 0x7fafcddacd2f in vfprintf () from /lib/libc.so.6 #2 0x7fafcddd2732 in vsnprintf () from /lib/libc.so.6 #3 0x00461ec8 in ast_devstate_changed (state=AST_DEVICE_UNKNOWN, cachable=3250240028, fmt=0x7fff5199f990 \030) at devicestate.c:524 #4 0x7fafc1b92166 in pbx_capi_register_device_state_providers () at chan_capi_devstate.c:62 #5 0x7fafc1b7f545 in load_module () at chan_capi.c:8897 #6 0x0048afd7 in start_resource (mod=0x7fafc403c350) at loader.c:747 #7 0x0048b58f in load_resource_list (load_order=value optimized out, global_symbols=0, mod_count=value optimized out) at loader.c:925 #8 0x0048b909 in load_modules (preload_only=0) at loader.c:1072 #9 0x004341e4 in main (argc=value optimized out, argv=value optimized out) at asterisk.c:3694 (gdb) bt full #0 0x7fafcddebf2a in strchrnul () from /lib/libc.so.6 No symbol table info available. #1 0x7fafcddacd2f in vfprintf () from /lib/libc.so.6 No symbol table info available. #2 0x7fafcddd2732 in vsnprintf () from /lib/libc.so.6 No symbol table info available. #3 0x00461ec8 in ast_devstate_changed (state=AST_DEVICE_UNKNOWN, cachable=3250240028, fmt=0x7fff5199f990 \030) at devicestate.c:524 buf = '\000' repeats 40 times, @\000\000\000\000\000\000\000\230\216\f?\177\000\000\250\216\f?\177\000\000\000\000\000\000\000\000\000\000@\000\000\000\000\000\000 ap = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fff5199fa80, reg_save_area = 0x7fff5199f9b0}} #4 0x7fafc1b92166 in pbx_capi_register_device_state_providers () at chan_capi_devstate.c:62 capiController = 0x7fff5199f9b0 i = 1 capi_num_controllers = value optimized out #5 0x7fafc1b7f545 in load_module () at chan_capi.c:8897 The segfault is at loading chan_capi.so . Can you please try disabling its load and see if Asterisk then loads successfully? To disable it, add the line 'noload = chan_capi.so' to the section '[modules]' in /etc/asterisk/modules.conf . cfg = 0x7fafc1db4b70 res = 0 __PRETTY_FUNCTION__ = load_module __FUNCTION__ = load_module -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003
On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote: Package: asterisk Severity: grave Tags: security patch upstream Hi, the following vulnerabilities were published for asterisk. CVE-2013-2685[0]: Buffer Overflow Exploit Through SIP SDP Header CVE-2013-2686[1]: Denial of Service in HTTP server CVE-2013-2264[2]: Username disclosure in SIP channel driver For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you doublecheck that squeeze, testing and wheezy are not affected? According to the Upstream advisories, both are in effect for 1.8 . Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to 1.6.2 in Stable. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-2685 http://downloads.asterisk.org/pub/security/AST-2013-001.html [1] http://security-tracker.debian.org/tracker/CVE-2013-2686 http://downloads.asterisk.org/pub/security/AST-2013-002.html [2] http://security-tracker.debian.org/tracker/CVE-2013-2264 http://downloads.asterisk.org/pub/security/AST-2013-003.html [3] https://issues.asterisk.org/jira/browse/ASTERISK-20901 Please adjust the affected versions in the BTS as needed. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#693666: NMU diff for dahdi-linux/1:2.6.1+dfsg2-0.1
On Mon, Jan 28, 2013 at 04:44:07PM +0200, Tzafrir Cohen wrote: On Sun, Jan 27, 2013 at 04:23:05PM +, Ben Hutchings wrote: I've uploaded the attached changes to DELAYED/5, and will follow this with an upload of dahdi-firmware. Thanks for your fixes. Applied them in SVN. I don't have the hardware and thus I'll try to get someone to test the patch. Sadly I could not find anyone with the hardware. I'll upload new packages shortly. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#693666: NMU diff for dahdi-linux/1:2.6.1+dfsg2-0.1
On Sun, Jan 27, 2013 at 04:23:05PM +, Ben Hutchings wrote: I've uploaded the attached changes to DELAYED/5, and will follow this with an upload of dahdi-firmware. Thanks for your fixes. Applied them in SVN. I don't have the hardware and thus I'll try to get someone to test the patch. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698112: asterisk: Segfault when making a call after update to 1.6.2.9-2+squeeze9
On Mon, Jan 14, 2013 at 08:38:35AM +0100, Dennis Rech wrote: Package: asterisk Version: 1:1.6.2.9-2+squeeze8 Severity: grave Justification: renders package unusable asterisk crashes when placing a call after a update to recent versions with apt-get Upgrade: asterisk:i386 (1.6.2.9-2+squeeze8, 1.6.2.9-2+squeeze9), asterisk-sounds-main:i386 (1.6.2.9-2+squeeze8, 1.6.2.9-2+squeeze9), asterisk-config:i386 (1.6.2.9-2+squeeze8, 1.6.2.9-2+squeeze9) Error: [9058168.846934] asterisk[2585]: segfault at 1 ip b7493b77 sp b5415684 error 4 in libc-2.11.3.so[b741e000+14] [9058212.632085] asterisk[2709]: segfault at 1 ip b748db77 sp b540f684 error 4 in libc-2.11.3.so[b7418000+14] How asy is this issue to reproduce? What type of call? SIP? TCP? Could you please install asterisk-dbg and gdb, run asterisk as: cd /var/spool/asterisk asterisk -U asterisk -g -c and reproduce the issue Then run: gdb -c core /usr/sbin/asterisk and in the prompt of gdb run: bt bt full and provide the output here. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698112: asterisk: Segfault when making a call after update to 1.6.2.9-2+squeeze9
tag 698112 pending thanks On Mon, Jan 14, 2013 at 10:03:55AM +0100, Dennis Rech wrote: I've tried it on another system. Heres the output: Thanks. Issue traced to a typo (of my part) in one of the two patches: http://anonscm.debian.org/viewvc/pkg-voip?view=revisionrevision=10073 I uploaded test packages to http://people.debian.org/~tzafrir/ast_squeeze10/ -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
On Fri, Jan 11, 2013 at 11:00:30PM +, Tzafrir Cohen wrote: On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote: On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote: Hi, On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote: Package: asterisk Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, the following vulnerabilities were published for asterisk. CVE-2012-5976[0]: Crashes due to large stack allocations when using TCP CVE-2012-5977[1]: Denial of Service Through Exploitation of Device State Caching If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2012-5976 [1] http://security-tracker.debian.org/tracker/CVE-2012-5977 Please adjust the affected versions in the BTS as needed. According to the advisories all 1.8.x versions seems affected. Likewise is version 1.6.2 from Stable. I have fixes ready. Ok, please upload to security-master once tests are sufficient. Uploaded. It seems that there has been a bug with the patch for Stable (#698112, #698118): http://anonscm.debian.org/viewvc/pkg-voip?view=revisionrevision=10073 I have prepared a fix for this (1:1.6.2.9-2+squeeze10). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
On Mon, Jan 14, 2013 at 04:02:22PM +0100, Javier Serrano Polo wrote: AST-2012-014: b/channels/chan_sip.c @@ -3078,7 +3079,7 @@ static void *_sip_tcp_helper_thread(stru req.socket.fd = tcptls_session-fd; /* Read in headers one line at a time */ - while (req.len 4 || strncmp(REQ_OFFSET_TO_STR(req, len - 4), \r\n\r\n, 4)) { + while ((req.len = SIP_MAX_PACKET_SIZE) || (req.len 4 || strncmp(REQ_OFFSET_TO_STR(req, len - 4), \r\n\r\n, 4))) { if (!tcptls_session-client !authenticated ) { if ((timeout = sip_check_authtimeout(start)) 0) { goto cleanup; Are you sure? That size hint condition should be ANDed. You're right. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote: On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote: Hi, On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote: Package: asterisk Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, the following vulnerabilities were published for asterisk. CVE-2012-5976[0]: Crashes due to large stack allocations when using TCP CVE-2012-5977[1]: Denial of Service Through Exploitation of Device State Caching If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2012-5976 [1] http://security-tracker.debian.org/tracker/CVE-2012-5977 Please adjust the affected versions in the BTS as needed. According to the advisories all 1.8.x versions seems affected. Likewise is version 1.6.2 from Stable. I have fixes ready. Ok, please upload to security-master once tests are sufficient. Uploaded. On a side note, I'm not sure why https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as open. The respective bug has been closed: As I mentioned before, I can change the default for alwaysauthreject, I'm just not sure this should be done on a Stable package. It's marked as [squeeze] - asterisk no-dsa (minor issue; can be addressed through configuration) The tracker is correct in so far, that this isn't fixed in squeeze through a code fix. If you provide a short text what people need to modify in their config we can add it to the DSA text and use this as the fix for stable. Here goes: CVE-2011-2666 (AST-2011-011) is an advisory that containd two parts: It is gnerally useful security-wise to provide the same answer upon authntication whether or not the authntication failed due to a missing bad username or a bad password (to prever enumerating existing users). Asterisk has a setting called 'alwaysauthreject' in sip.conf to do that, but up until 1.8 its value has defaulted to no (different answer). The patch of CVE-2011-2666 fixed a case that even with this set to yes, the response is different. This was fixed in 1.6.2.9-2+squeeze3 . However in order to avoid breaking backward compatibility the default has remained the same. Upstream developers strongly recommend that users set 'alwaysauthreject=yes' in the section '[general]' of sip.conf. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote: Package: asterisk Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, the following vulnerabilities were published for asterisk. CVE-2012-5976[0]: Crashes due to large stack allocations when using TCP CVE-2012-5977[1]: Denial of Service Through Exploitation of Device State Caching Both apply to th stable vrsion as well. I commited fixes to th SVN. Working on building them. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
Hi, On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote: Package: asterisk Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, the following vulnerabilities were published for asterisk. CVE-2012-5976[0]: Crashes due to large stack allocations when using TCP CVE-2012-5977[1]: Denial of Service Through Exploitation of Device State Caching If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2012-5976 [1] http://security-tracker.debian.org/tracker/CVE-2012-5977 Please adjust the affected versions in the BTS as needed. According to the advisories all 1.8.x versions seems affected. Likewise is version 1.6.2 from Stable. I have fixes ready. On a side note, I'm not sure why https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as open. The respective bug has been closed: As I mentioned before, I can change the default for alwaysauthreject, I'm just not sure this should be done on a Stable package. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#693666: Contains non-free FPGA bitfiles
On Mon, Nov 19, 2012 at 05:05:30AM +, Ben Hutchings wrote: Package: dahdi-linux Version: 1:2.6.1+dfsg-1 Severity: serious Tags: upstream drivers/dahdi/pciradio.rbt and drivers/dahdi/tormenta2.rbt appear to be FPGA bitfiles or other firmware images. Their headers refer to some source files, but even if these were included they would presumably need non-free tools for conversion. Those files are from th original Zapata Telphony project: http://www.zapatatelephony.org/ I'm afraid these will have to be moved to a separate package in the non-free section. I'd be happy to add them to firmware-nonfree, but you'll need to change the related drivers to use request_firmware(). They could be added to dahdi-firmware-nonfree onc this is done. I'll try to look into that. Thanks for th note. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685540: asterisk-flite, asterisk-espeak: binnmu required
Indeed this is fixable through a binNMU. Sorry for missing this earlier, Jonas. Original ones were built against versions 1.8. Sanity check: after module is built, install it and asterisk on a system (or copy /usr/lib/asterisk/modules/app_flite.so to the test system), and run: asterisk -rx 'module load app_flite.so' # Should give no error, except one about missing config file asterisk -rnx 'core show application Flite' # Should give a help text and not an error For eSpeak: asterisk -rx 'module load app_espeak.so' # Should give no error, except one about missing config file asterisk -rnx 'core show application eSpeak' # Should give a help text and not an error -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685540: getting the asterisk module loadable
On Sun, Oct 14, 2012 at 12:54:42PM +0200, Geert Stappers wrote: On Sat, Oct 13, 2012 at 09:02:56PM +0200, Jonas Smedegaard wrote: The underlying issue is that asterisk fails to provide proper shlibs hinting, so that packages building against asterisk do not get versioned binary dependencies that can reveal leed for binNMU later on. That ? binary dependencies that can reveal need for binNMU later on. That underlying issue needs to be reported against asterisk and fixed there. The Debian maintainers of asterisk are in the Cc. The library in question is /usr/sbin/asterisk . However: $ dpkg-gensymbols -O -pasterisk -e/usr/sbin/asterisk -d Scanning /usr/sbin/asterisk for symbol information File /usr/sbin/asterisk doesn't have a soname. Ignoring. Is there any way to force an SONAME (the major version number of Asterisk)? Also note that the res_* modules of asterisk may have exported modules (some other modules also have public symbols as well, but this shouldn't have happened). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688639: [SECURITY] [DSA 2550-1] asterisk security update
On Wed, Sep 26, 2012 at 01:20:33PM +0200, Daniel Reichelt wrote: Hi Moritz Please test/report, whether the packages located at http://people.debian.org/~jmm/ fix the problem for you. Could you please publish the source package as well? Note that it was built from the squeeze branch of the Subversion repository listed in the package: http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/ -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688765: libpri and hardening flags [was: Re: Bug#688765: FTBFS if built twice in a row]
Dear Release Team, On Wed, Sep 26, 2012 at 01:43:32AM +0200, Tzafrir Cohen wrote: On Tue, Sep 25, 2012 at 03:36:47PM +0200, Helmut Grohne wrote: Source: libpri Version: 1.4.12-2 Severity: serious Justification: fails to build from source The upstream Makefile creates a version.c which is not removed during (make) clean. Thus the second attempt to build the package fails with a message from dpkg-source saying that local changes (to version.c) were detected and the build is aborted. Since the package uses dh, the fix is as simple as: echo version.c debian/clean Applied, thanks for the report. While rebuilding to fix this, I noticed the lintian notice regarding hardening flags. The package use a custom Makefile, which was easy enough to fix. It is a library that is used in a PSTN module of the Asterisk telephony server and thus is network facing for a liberal definition of network (the N in PSTN[1]). Note that libss7 is likely to be similar: both a similar build system and a similar relation to the network. So, should I go ahead and include this fix as well? [1] http://en.wikipedia.org/wiki/PSTN -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688053: Package version
On Tue, Sep 25, 2012 at 02:11:39PM +0100, Phillip Baker wrote: Tzafrir, Thanks for your efforts on this and in maintaining the packages in general. Am I to understand from the bug report log (No longer found in squeeze7) that a new version of the package was uploaded with the same version number as the broken one (can't see a squeeze8 in the repo)? The fix I uploaded (and which is now up for testing) is squeeze8. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688765: FTBFS if built twice in a row
On Tue, Sep 25, 2012 at 03:36:47PM +0200, Helmut Grohne wrote: Source: libpri Version: 1.4.12-2 Severity: serious Justification: fails to build from source The upstream Makefile creates a version.c which is not removed during (make) clean. Thus the second attempt to build the package fails with a message from dpkg-source saying that local changes (to version.c) were detected and the build is aborted. Since the package uses dh, the fix is as simple as: echo version.c debian/clean Applied, thanks for the report. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688053: Status update on this issue?
On Sun, Sep 23, 2012 at 12:00:19PM -0400, gnu dna wrote: Hi just wondering if there is a status update on this issue as to when the new package will be released that fixes the cannot load sip module. I have reverted back to asterisk-1.6.2.9-2+squeeze6 and asterisk-config-1.6.2.9-2+squeeze6 which for some reason have made their way in to the proposed updates repo. btw thanks to the reference on how to rollback much appreciated. I fixed the respective patch and uploaded a fixed package. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688053: Troubles after upgrade to 1.6.2.9-2+squeeze7
On Wed, Sep 19, 2012 at 10:53:29AM +0200, Victor Seva wrote: The AST-2012-010 patch is using the non defined function sip_pvt_lock_full on 1.6.2.9 Working on fixing the patch. Thanks. I hopefully have it properly backported now. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680470: Two security issues: AST-2012-010 / AST-2012-011
On Fri, Aug 31, 2012 at 12:14:05PM +0200, Moritz Muehlenhoff wrote: On Thu, Aug 30, 2012 at 07:43:21PM +0300, Tzafrir Cohen wrote: On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote: On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet) http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812) Regarding AST-2011-011 and Squeeze: It appears to be the result of wrong fixes for a memory leak (see commit message below). I have not tries to apply the original memory leak fix (r354889 is the one on branch 1.8) or a proper version of it on the the version in Squeeze. Note that memory leak fixes normally don't get an advisory and there are quite a few of them in the 1.8 branch so I'm not sure I would bother just for this one. Short version: technically does not apply. 1.6 is not mentioned in the Affected versions, but I haven't validated whether because it's no longer supported/tracked upstream or because the issues are not present. Can you double-check? For sid/wheezy, please remember that we're in freeze and only isolated fixes are to be made instead of updating to a new full upstream release. Once you've uploaded, please send an unblock request by filing a bug against the release.debian.org pseudo package. What's the status? This is marked pending for nearly two months now! For some reason I had the impression we had 1.8.13.1 packaged. I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the fixes for those two issues: http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log For the record, they were fixed in the branch in: http://svnview.digium.com/svn/asterisk?view=revisionrevision=369652 http://svnview.digium.com/svn/asterisk?view=revisionrevision=369436 Note, however, that today we had the following commits: http://svnview.digium.com/svn/asterisk?view=revisionrevision=372015 http://svnview.digium.com/svn/asterisk?view=revisionrevision=371998 So this is juas a good a timing as any for a new package. Two new issues have been announced, we should incorporate these: CVE-2012-2186: http://downloads.digium.com/pub/security/AST-2012-012.html Note the wording. Issue is not compltely mitigated. There are still methods of sneaking in unwanted functionality (e.g. through setting Asterisk environment variables). CVE-2012-4737: http://downloads.digium.com/pub/security/AST-2012-013.html -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680470: Two security issues: AST-2012-010 / AST-2012-011
On Fri, Aug 31, 2012 at 12:14:05PM +0200, Moritz Muehlenhoff wrote: CVE-2012-2186: http://downloads.digium.com/pub/security/AST-2012-012.html I almost forgot: While patching, I noticed that the squeeze backport for AST-2012-004 was incomplete. The part left out is: http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-004-MixMonitor?revision=9938view=markup I added it in as well. I have packages ready for Unstable (1.8.13.1 + patches) and Squeeze (1.6.2.9-2+squeeze7). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680470: Two security issues: AST-2012-010 / AST-2012-011
On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote: On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet) http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812) 1.6 is not mentioned in the Affected versions, but I haven't validated whether because it's no longer supported/tracked upstream or because the issues are not present. Can you double-check? For sid/wheezy, please remember that we're in freeze and only isolated fixes are to be made instead of updating to a new full upstream release. Once you've uploaded, please send an unblock request by filing a bug against the release.debian.org pseudo package. What's the status? This is marked pending for nearly two months now! For some reason I had the impression we had 1.8.13.1 packaged. I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the fixes for those two issues: http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log For the record, they were fixed in the branch in: http://svnview.digium.com/svn/asterisk?view=revisionrevision=369652 http://svnview.digium.com/svn/asterisk?view=revisionrevision=369436 Note, however, that today we had the following commits: http://svnview.digium.com/svn/asterisk?view=revisionrevision=372015 http://svnview.digium.com/svn/asterisk?view=revisionrevision=371998 So this is juas a good a timing as any for a new package. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679856: ser and kamailio: error when trying to install together
On Mon, Jul 02, 2012 at 08:59:54AM +0200, Ralf Treinen wrote: Package: kamailio,ser Version: kamailio/3.3.0-1 Version: ser/2.0.0-5 Severity: serious User: trei...@debian.org Usertags: edos-file-overwrite Date: 2012-07-02 Architecture: amd64 Distribution: sid Hi, automatic installation tests of packages that share a file and at the same time do not conflict by their package dependency relationships has detected the following problem: ser is not in Testing. It's likely to be removed from Unstable RSN (now that Kamailio is finally in). Thanks for providing us an even better excuse for that :-) -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679736: spandsp: test suite fails to run when built in parallel (-j)
Source: spandsp Version: 0.0.6~pre20-1 Severity: serious Justification: fails to build from source (but built successfully in the past) The package spandsp has failed to build on some architectures. This is due to the test suite not intended to build in parallel. As Upstream does not consider this a bug, the simple fix is to disable running the tests in parallel. A patch is included in SVN. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679133: asterisk-core-sounds-fr-gsm: all sounds files not retrieve after upgrade (1.4.21-1 - 1.4.22-1)
On Tue, Jun 26, 2012 at 11:15:18AM -0400, mnombre wrote: Package: asterisk-core-sounds-fr-gsm Version: 1.4.22-1 Severity: grave Tags: patch Justification: renders package unusable old links to sounds directory have been deleted by update. re-creating the link make all ok, i.e, for exemple ln -s /usr/share/asterisk/sounds/fr_CA_f_June /usr/share/asterisk/sounds/fr The symlink is generated in the common package asterisk-core-sounds-fr . The package asterisk-core-sounds-fr-gsm Recommends it (there is a dependency in the oposite direction: the common package depends on at least one of the format packages to be installed). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675204: asterisk: AST-2012-007 (CVE-2012-2947): crash on IAX receiving HOLD without MOH class
Package: asterisk Version: 1:1.8.11.1~dfsg-1 Severity: grave Tags: upstream patch security Justification: user security hole A remotely exploitable crash vulnerability exists in the IAX2 channel driver if an established call is placed on hold without a suggested music class. For this to occur, the following must take place: 1. The setting mohinterpret=passthrough must be set on the end placing the call on hold. 2. A call must be established. 3. The call is placed on hold without a suggested music-on-hold class name. When these conditions are true, Asterisk will attempt to use an invalid pointer to a music-on-hold class name. Use of the invalid pointer will either cause a crash or the music-on-hold class name will be garbage. Issue applies to version in Stable (1.6.2.9) as well. In the default settings used by the Debian package, on-hold music will be defined if available (e.g. if any asterisk-moh-opsound package is installed). -- System Information: Debian Release: wheezy/sid Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages asterisk depends on: ii adduser 3.113+nmu2 ii asterisk-config 1:1.8.12.0~rc3~dfsg-0.9674 ii asterisk-core-sounds-en [asterisk-prompt-en] 1.4.21-2 ii asterisk-modules 1:1.8.12.0~rc3~dfsg-0.9674 ii asterisk-sounds-main [asterisk-prompt-en] 1:1.8.3.3-0.8891 ii libc6 2.13-32 ii libcap2 1:2.22-1 ii libgcc1 1:4.7.0-8 ii libssl1.0.0 1.0.1c-1 ii libstdc++64.7.0-8 ii libtinfo5 5.9-7 ii libxml2 2.7.8.dfsg-9.1 Versions of packages asterisk recommends: ii asterisk-moh-opsound-gsm 2.03-1 ii asterisk-voicemail [asterisk-voicemail-storage] 1:1.8.12.0~rc3~dfsg-0.9674 ii sox 14.3.2-3 Versions of packages asterisk suggests: pn asterisk-dahdi 1:1.8.12.0~rc3~dfsg-0.9674 pn asterisk-dev 1:1.8.12.0~rc3~dfsg-0.9674 pn asterisk-doc 1:1.8.12.0~rc3~dfsg-0.9674 pn asterisk-ooh323 none -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675210: asterisk: AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny
Package: asterisk Version: 1:1.8.11.1~dfsg-1 Severity: grave Tags: upstream patch security Justification: user security hole When a skinny session is unregistered, the corresponding device pointer is set to NULL in the channel private data. If the client was not in the on-hook state at the time the connection was closed, the device pointer can later be dereferenced if a message or channel event attempts to use a line's pointer to said device. The patches prevent this from occurring by checking the line's pointer in message handlers and channel callbacks that can fire after an unregistration attempt. Expliting this requires an established Skinny session, which implies a configured Skinny (SCCP) device. If you have no idea what this means, you don't have one. For Wheezy and Sid, 1.8.12.2 is to be used. For Squeeze, Upstream's patch has been adapted and is included in the pkg-voip SVN. -- System Information: Debian Release: wheezy/sid Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664606: asterisk has a non-free copy of ilbc
On Mon, Mar 19, 2012 at 12:47:24PM +0100, Simon Josefsson wrote: Faidon Liambotis parav...@debian.org writes: On 03/19/12 13:28, Simon Josefsson wrote: The iLBC code in RFC 3591 was freed when the company that original authored it (GIPS) was acquired by Google. See e.g. https://datatracker.ietf.org/ipr/1649/ Hi! That is only the patent license, right? I don't see anything about the copyright and license of the code. Right. I didn't check the one you pointed at, but I'm fairly sure it'll be the exact same code. No, it uses the code from WebRTC which appears to be different from the code in the RFC. Right. So let's use it in Asterisk: https://issues.asterisk.org/jira/browse/ASTERISK-19835 Jeroen Dekkers provided some compatibility bits on top of the WebRTC interface in: https://github.com/dekkers/libilbc . This greatly reduced the required changes in the asterisk code. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#670180: CVE-2012-2414 CVE-2012-2415 CVE-2012-2416
Hi, Working on it, On Mon, Apr 23, 2012 at 08:55:58PM +0200, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security At first glance: CVE-2012-2414 http://downloads.asterisk.org/pub/security/AST-2012-004.html This is for both Squeeze and Wheezy/Sid. The recommended fix in Wheezy/Sid is to upgrade to 1.8.11.1 . This complements AST-2011-006 (and, ahem, copies code from it). Scope is the same: * The attacker needs to already have access to a manager interface account (not unplausable, given that in many cases the security hole is actually in a web interface that controls Asterisk through the manager interface). * This hole only gives extra permissions is the sysadmin did not provide them (and in just about anywhere people just grant all manager interface permissions. But yeah, this should be fixed for those who properly use the manager interface. CVE-2012-2415 http://downloads.asterisk.org/pub/security/AST-2012-005.html Skinny is a nickname for SCCP, a propriatary used by some CISCO phones. So most people don't need it. That said, the module is enabled by default and it listens on TCP port 2000 by default. However exploting this seems to require a configured Skinny device (in e.g. /etc/asterisk/skinny.conf ), so it probably won't work on most systems (e.g. a random system that has both UDP port 4569 open and TCP port 2000 open). CVE-2012-2416 http://downloads.asterisk.org/pub/security/AST-2012-006.html This seems to only require the remote attacker to be able to establish a SIP call to Asterisk. Either being authenticated or as a guest if guests are allowed. Only applies to Wheezy/Sid: the code in Squeeze does not seem to support UPDATE. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659818: dahdi-linux 2.5.0.1 won't build against Linux 3.2
On Fri, Apr 06, 2012 at 09:18:05PM +0100, Dmitrijs Ledkovs wrote: severity 659818 grave tags 659818 patch thanks Now that sid/wheezy have 3.2+ linux kernel, this bug is now grave as it's not possible to build dahdi kernel module. I am planning to upload attached NMU to fix this bug, unless there is a good reason not to fix this now for 2.5.0.1. Upstream has tagged 2.6.1-rc2 (but no tarball released). I was hoping there would be a release by now, but as there's none so far, I'll create one from that tag. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir ___ Pkg-voip-maintainers mailing list pkg-voip-maintain...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-voip-maintainers -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666944: [Secure-testing-team] Bug#666944: asterisk: Buffer overflow vulnerability
On Mon, Apr 02, 2012 at 10:50:07PM +0100, Jonathan Wiltshire wrote: On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote: Package: asterisk Version: 1:1.6.2.9-2+squeeze4 Severity: grave Tags: security squeeze Justification: user security hole Per: http://downloads.asterisk.org/pub/security/AST-2012-002.txt the asterisk in squeeze is vulnerable to a buffer overflow. Security team: the tracker says not-affected (Vulnerable code not present); this seems not to be the case but the default configuration protects from this vulnerability. I will take it on as a no-dsa if you wish. John: on that basis, do you agree the severity should be reduced (probably to important)? The default configuration is not too big a considiration with the Asterisk dialplan. That said, the said dialplan application is also not commonly used. The Squeeze branch in the SVN includes the fix. As well as, ahem, the patch for #651552 which was accidentally left out of the previous upload. No idea how I failed to notice that. http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/ The package in testing may also be vulnerable to: http://downloads.asterisk.org/pub/security/AST-2012-003.txt Currently it is. I have suggested to the release team that they age the version in sid to get the fix into testing. Not applicable to Squeeze: the code in question is new to 1.8 (and not backported in any patch we carry). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664611: Source package contains non-free IETF RFC/I-D
severity 664611 normal retitle -1 asterisk: private copy of libilbc thanks On Mon, Mar 19, 2012 at 12:09:04PM +0100, Simon Josefsson wrote: Severity: serious Package: asterisk Version: 1:1.8.10.0~dfsg-1 User: debian-rele...@lists.debian.org Usertags: nonfree-doc rfc (How do I remove those)? Hi! This source package contains the following files from the IETF under non-free license terms: asterisk-1.8.10.0/codecs/ilbc/rfc3951.txt As mentioned elsewhere, it is now free. In fact, Upstream removed it in previous versions, and re-acepted it in 1.8.10 due to the proper license. Keeping the bug open as the iLBC code is a private library. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664411: #664411: asterisk: not done: ([CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and AST-2012-003 flaws)
reopen 664411 thanks We can't let such a good bug number get closed so fast, can we? Anyway, the issue was fixed in 1.8.10.1, not 1.8.10.0 . Note that the first of those issues should also be fixed in the Squeeze package. Also: sorry for the delay in handling this. Working on it now. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656143: 656143: drbd8-utils: creates a static file at postinst
Just a minor correction: the required workaround for installing drbd8-utils in debirf is not exactly installing drbd8-utils. Rather, it's creating /dev/drbd{0..15} for i in `seq 0 15`; do mknod /dev/drbd$i b 147 $i; done This needs to be done once per boot. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656596: asterisk: SRTP Video Remote Crash Vulnerability
Package: asterisk Version: 1:1.8.8.0~dfsg-1 Severity: grave Tags: security patch upstream Justification: causes non-serious data loss http://downloads.asterisk.org/pub/security/AST-2012-001.html (No CVE set yet, AFAIK) An attacker attempting to negotiate a secure video stream can crash Asterisk if video support has not been enabled and the res_srtp Asterisk module is loaded. I am not aware of any exploits to the issue. It requires the remote user to be permitted to connect to the system but certain systems may also allow guests. No effect on the version in Squeeze, as Asterisk did not have SRTP support before 1.8 and Squeeze uses 1.6.2 . -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#606959: logrotate script should set correct owner/group
Hi, So if for some reasons the file is missing or has bad permissions asterisk will not (re)start and nothing will fix the permissions. This issue should be fixed before the weekly log rotation. I would actually be quite surprized to find ownership explicitly set in the log rotation configuration. Asterisk's logrotate configuration already has missingok. I'd like to close this issue. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656143: drbd8-utils: creates a static file at postinst
Package: drbd8-utils Version: 2:8.3.9-1 Severity: serious Justification: Policy 10.6 Dear Maintainer, Policy 10.6 states If a package needs any special device files that are not included in the base system, it must call MAKEDEV in the postinst script, after notifying the user. This package generates /dev/drbd{0-15} with a direct mknod. There's remmed-out code to use MAKEDEV for /dev/nb{0-7}. As an aside, I suppose that this postinst script is not needed for any system that uses udev, as the device files should be recreated. It is anyway only meaningful if /dev is not on a ramdisk. It also gets in the way of building a debirf(1) system with the drbd8-utils package included. To reproduce, try: fakechroot fakeroot /usr/sbin/debootstrap --variant=fakechroot --include drbd8-utils sid subdir without having drbd8-utils installed on the machine. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-rc4-rt-amd64 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages drbd8-utils depends on: ii debconf [debconf-2.0] 1.5.41 ii libc6 2.13-24 drbd8-utils recommends no packages. Versions of packages drbd8-utils suggests: pn heartbeat none -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#643703: asterisk: SHA-1 code is doesn't allow modification
On Mon, Oct 03, 2011 at 07:27:16PM +0200, Tzafrir Cohen wrote: A short update: The same sha1 code is indeed present in current Upstream code (including version 1.8.x currently in Testing/Ustable and also the Upstream trunk). Ron Lee pointed out, though, that RFC3174 has been obsoleted by RFC6234[1], and the latter actually has a sane license for the included code. So looks like some work is needed, but the replacement code is obvious. Thanks for the report. Sadly this fix did not make it to 1.8.8, but it will be included in 1.8.9 (already included in 1.8.9-rc1). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644162: asterisk-espeak 2.5 works with newer asterisk
Hi I've updated the packaging for asterisk-espeak 2.5, that works with newer Asterisk. Only tested to build and load. Didn't test it to work. http://anonscm.debian.org/gitweb/?p=users/tzafrir/asterisk-espeak.git;a=summary -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#644162: asterisk-espeak 2.5 works with newer asterisk
On Thu, Dec 22, 2011 at 07:29:58PM +0200, Lefteris Zafiris wrote: On Thu, 22 Dec 2011 16:54:20 +0200 Tzafrir Cohen tzafrir.co...@xorcom.com wrote: Hi I've updated the packaging for asterisk-espeak 2.5, that works with newer Asterisk. Only tested to build and load. Didn't test it to work. http://anonscm.debian.org/gitweb/?p=users/tzafrir/asterisk-espeak.git;a=summary The module is now using libsamplerate instead of libresample, so build-depends must be updated accordingly. Thanks. Fixed. I figure I should mention that I have not yet built in in a chroot. BTW: dpkg-shlibdeps: warning: dependency on libm.so.6 could be avoided if debian/asterisk-espeak/usr/lib/asterisk/modules/app_espeak.so were not uselessly linked against it (they use none of its symbols). Next: asterisk-flite. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651552: CVE-2011-4598: DoS
For the record (regarding the SIP nat issue alone): Asterisk 1.6.22 was just released: The release of Asterisk 1.6.2.22 corrects two flaws in sip.conf.sample related to AST-2011-013: * The sample file listed *two* values for the 'nat' option as being the default. Only 'yes' is the default. * The warning about having differing 'nat' settings confusingly referred to both peers and users. That said, I hope that what I wrote on README.Debian was clear enough, regardless of the slightly confusing config file. Their warning was completly reworded. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651552: CVE-2011-4598: DoS
On Sun, Dec 11, 2011 at 05:09:21PM +0200, Tzafrir Cohen wrote: On Fri, Dec 09, 2011 at 09:47:04PM +0100, Moritz Muehlenhoff wrote: Source: asterisk Severity: grave Tags: security Please see http://downloads.asterisk.org/pub/security/AST-2011-014.html This has been assigned CVE-2011-4598. What about the pending fixes for #630381 and #639821 ? Ping? Packages are pending in the pkg-voip SVN repo: asterisk/trunk: 1:1.8.8.0~dfsg-1 (just released today) asterisk/branches/squeeze: 1:1.6.2.9-2+squeeze4: including those two fixes asterisk/branches/lenny-security: 1:1.4.21.2~dfsg-3+lenny6 Only the NAT issue There's also http://downloads.asterisk.org/pub/security/AST-2011-013.html, (CVE-2011-4597), which seems rather esoteric and can likely be ignored for stable. This configuration is actually rather common. The bug did not mention it, but the fix included a patch that changes the default value of the configugration and also adds a nasty warning if global value does not match the peer/user entry. I made the warnings slightly less horrible than Upstream's and added an explanation in README.Debian . The sample sip.conf changed, but not /etc/asterisk/sip.conf . -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#651552: CVE-2011-4598: DoS
On Fri, Dec 09, 2011 at 09:47:04PM +0100, Moritz Muehlenhoff wrote: Source: asterisk Severity: grave Tags: security Please see http://downloads.asterisk.org/pub/security/AST-2011-014.html This has been assigned CVE-2011-4598. What about the pending fixes for #630381 and #639821 ? There's also http://downloads.asterisk.org/pub/security/AST-2011-013.html, (CVE-2011-4597), which seems rather esoteric and can likely be ignored for stable. This configuration is actually rather common. The bug did not mention it, but the fix included a patch that changes the default value of the configugration and also adds a nasty warning if global value does not match the peer/user entry. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#650245: python-asterisk: fails to work with current version of Asterisk
On Sun, Nov 27, 2011 at 10:56:17PM -0800, Andrew Pollock wrote: Package: python-asterisk Version: 0.1a3+r160-4.1 Severity: grave Justification: renders package unusable I figure that 0.2 from http://code.google.com/p/py-asterisk/ is likely to fix it. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#647252: CVE-2011-4063: Remote crash vulnerability in SIP channel driver
On Tue, Nov 22, 2011 at 09:15:16PM +0100, Moritz Mühlenhoff wrote: On Tue, Nov 01, 2011 at 08:31:00AM +0100, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security Please see http://downloads.asterisk.org/pub/security/AST-2011-012.html Apparently stable/oldstable is not affected, please but double-check. Asterisk maintainers, did you get confirmation from upstream? Yes, as per the advisory. 1.6.2 is still supported for security issues by upstream. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#647008: asterisk-modules: uninstallable on s390 (libvpb0 removed)
On Sat, Oct 29, 2011 at 12:32:37PM +0100, Adam D. Barratt wrote: Package: asterisk-modules Version: 1:1.8.4.4~dfsg-2 Severity: serious Hi, vpb-driver (and thus libvpb0) was removed on s390 (see #644051). This means that asterisk-modules is now uninstallable on that architecture in unstable (and by extension asterisk). Right now asterisk has in the build dependency: libvpb-dev [linux-any] If I want to encode this extra limitation (!s390 !s390x) I would have to use either: libvpb-dev [!hurd-any !kfreebsd-any !s390 !s390x] or: libvpb-dev [linux-any], libvpb-dev [!s390 !s390x] Which of those would be preffered? As a side note, vpb-driver has: Architecture: any for all of its packages, even though it is linux-specific, AFAIK (and fails to build on hurd and kfreebsd[1]) [1] https://buildd.debian.org/status/package.php?p=vpb-driver -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#643703: asterisk: SHA-1 code is doesn't allow modification
A short update: The same sha1 code is indeed present in current Upstream code (including version 1.8.x currently in Testing/Ustable and also the Upstream trunk). Ron Lee pointed out, though, that RFC3174 has been obsoleted by RFC6234[1], and the latter actually has a sane license for the included code. So looks like some work is needed, but the replacement code is obvious. Thanks for the report. [1] http://www.rfc-editor.org/rfc/rfc6234.txt -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#617514: MeetMe() does not accept any options after Answer() and falls back to default options.
severety 617514 normal tag 617514 + moreinfo unreproducible thanks Sorry for the delay, On Wed, Mar 09, 2011 at 03:25:34PM +0100, Julius Kempa wrote: Package: asterisk Version: 1:1.6.2.9-2+squeeze1 Severity: critical MeetMe application does not work properly. for example: extensions.conf: exten = 123,1,Answer() exten = 123,2,MeetMe(100,cmMqTwxX,1000) The options string seems to be ignored after Answer(). MeetMe works only with defaults The same MeetMe call, without Answer before, works fine. Some of those options are conflicting. I tried several simpler options (cMq) and it worked just fine. Please provide the minimal combination that does not work. Also demoting as this is certainly not a major breakage. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#638034: asterisk: Cannot forward voicemail
tag 638034 + unreproducible thanks Hi, sorry for the delay, On Tue, Aug 16, 2011 at 11:40:26AM -0700, Andrew wrote: Package: asterisk Version: 1:1.6.2.9-2+squeeze3 Severity: grave Tags: upstream When you forward a voicemail message in Asterisk, the message does not appear in the destination mailbox. It fails silently, and once the message is deleted from the source mailbox, it's gone forever. It has been reported and fixed upstream: https://issues.asterisk.org/view.php?id=18358 Could this be fixed in a Debian point release? It's a pretty serious loss of functionality and has caused us a lot of data loss. I failed to reproduce this issue. Are you sure you use the version from squeeze? Note that that specific fix (Upstream r301046) fixes a regression from a previous bugfix commit (r289874 , Upstream bug #17803), which has not been included in Debian. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#625375: libss7: ftbfs with gcc-4.6 -Werror
On Tue, May 03, 2011 at 10:33:38AM +, Matthias Klose wrote: This package builds with -Werror, and GCC 4.6 triggers new warnings which will make the package fail to build. Currently a Debian patch just passes -Wno-error=unused-but-set-variable and -Wno-error=unused-but-set-parameter to avoid build failures, but this patch will be reverted with the GCC 4.6.1 release, and the severity of the report will be raised. A simple patch is attached in https://issues.asterisk.org/jira/browse/SS7-54 . Looks safe at first glance. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#633481: asterisk: Security upgrade for Lenny missing ast_str_strlen symbol
Hi, On Sun, Jul 10, 2011 at 11:58:57AM -0500, Mike McCallister wrote: Package: asterisk Version: 1:1.4.21.2~dfsg-3+lenny3 Severity: grave Justification: renders package unusable I installed the latest security patch for Asterisk on my Lenny system today. It starts successfully, but immediately exits. When I start it from the command line with the -v parameter, the last few lines of output are: app_mixmonitor.so = (Mixed Audio Monitoring Application) app_authenticate.so = (Authentication Application) func_groupcount.so = (Channel group dialplan functions) app_milliwatt.so = (Digital Milliwatt (mu-law) Test Application) app_image.so = (Image Transmission Application) app_adsiprog.so = (Asterisk ADSI Programming Application) Asterisk Ready. asterisk: symbol lookup error: /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: ast_str_strlen The issue is indeed with patch AST-2011-008. Now fixed in SVN. In 1.4 there's no need for ast_str_strlen (which does not work with plain null-termilated strings anyway). As a temporary workaround, in case you can't downgrade or (soon) upgrade: disable chan_sip.so in modules.conf. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#632029: asterisk: AST-2011-011 (CVE-2011-2536) Possible enumeration of SIP users
Package: asterisk Version: 1:1.8.4.2-1.8979 Severity: grave Tags: security upstream patch Justification: user security hole Asterisk may respond differently to SIP requests from an invalid SIP user than it does to a user configured on the system, even when the alwaysauthreject option is set in the configuration. This can leak information about what SIP users are valid on the Asterisk system. Respond to SIP requests from invalid and valid SIP users in the same way. Asterisk 1.4 (in Oldstable) and 1.6.2 (in Stable) do not respond identically by default due to backward-compatibility reasons, and must have alwaysauthreject=yes set in sip.conf. Asterisk 1.8 defaults to alwaysauthreject=yes. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631445: asterisk; AST-2011-009 - crash on malformed SIP packet
Package: asterisk Version: 1:1.8.4.2-1 Severity: grave Tags: security upstream patch Justification: user security hole A remote user sending a SIP packet containing a Contact header with a missing left angle bracket () causes Asterisk to access a null pointer. This applies only to Asterisk 1.8 in Wheezy/Sid and not to the versions in Squeeze and in Lenny. For more information, see http://downloads.asterisk.org/pub/security/AST-2011-009.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631446: asterisk: AST-2011-008 (CVE-2011-2529) - remote unauthenticated (null character)
Package: asterisk Version: 1:1.8.4.2-1 Severity: grave Tags: security upstream patch Justification: user security hole If a remote user sends a SIP packet containing a null, Asterisk assumes available data extends past the null to the end of the packet when the buffer is actually truncated when copied. This causes SIP header parsing to modify data past the end of the buffer altering unrelated memory structures. This vulnerability does not affect TCP/TLS connections. Issue applies to the versions in Squeeze and Wheezy/Sid, but not to Asterisk version 1.4 in Lenny. For more information, see http://downloads.asterisk.org/pub/security/AST-2011-008.html (for patches as well) -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores) Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages asterisk depends on: ii adduser 3.112+nmu2 add and remove users and groups ii asterisk-config 1:1.8.4.2-1 Configuration files for Asterisk ii asterisk-modules1:1.8.4.2-1 loadable modules for the Asterisk ii asterisk-sounds-mai 1:1.6.2.9-2+squeeze1 Core Sound files for Asterisk (Eng ii libc6 2.13-4 Embedded GNU C Library: Shared lib ii libcap2 1:2.21-1 support for getting/setting POSIX. ii libgcc1 1:4.6.0-10 GCC support library ii libncurses5 5.9-1shared libraries for terminal hand ii libssl1.0.0 1.0.0d-2 SSL shared libraries ii libstdc++6 4.6.0-10 The GNU Standard C++ Library v3 ii libxml2 2.7.8.dfsg-3 GNOME XML library Versions of packages asterisk recommends: ii asterisk-moh-opsound-gsm 2.03-1 asterisk extra sound files - Engli ii asterisk-voicemail 1:1.8.4.2-1 simple voicemail support for the A ii sox 14.3.2-1Swiss army knife of sound processi Versions of packages asterisk suggests: pn asterisk-dahdi none (no description available) ii asterisk-dev 1:1.8.4.2-1 Development files for Asterisk ii asterisk-doc 1:1.8.4.2-1 Source code documentation for Aste pn asterisk-ooh323 none (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#631448: asterisk: AST-2011-010 (CVE-2011-2535) - crash due to using remote pointers
Package: asterisk Version: 1:1.8.4.2-1 Severity: grave Tags: security upstream patch Justification: user security hole A memory address was inadvertently transmitted over the network via IAX2 via an option control frame and the remote party would try to access it. This applies only to version 1.8 in Wheezy/Sid and not to the versions in Lenny and Squeeze. The advisory does apply to some newer versions of Asterisk 1.4 and 1.6.2, but not to the older versions used in Lenny and Squeeze, respectively. For more information, see http://downloads.asterisk.org/pub/security/AST-2011-010.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org