Bug#435521: closed by Mark Purcell <[EMAIL PROTECTED]> (Re: Asterisk SIP DOS Vulnerability)
Martin Schulze wrote: > Faidon Liambotis wrote: >> Granted, we have a very very bad record as maintainers of supporting >> this security-wise but I think we can try to change that. I certainly >> will try my best to provide you with patched versions to upload. >> I haven't discuss this with the rest of the team yet but I think they >> are willing of helping with this. > > The main problem is that Asterisk is team maintained and nobody in > the team (except you at the moment) seems to care about a save version > of asterisk in stable and oldstable. The security team itself is not > able to support the package on its own and thus has to depend on the > respective maintainers. Right. FWIW, you can count on me for security updates, even if the rest of the team doesn't change their minds wrt security fixes. Since you have no previous grounds to trust me on this though, I'd propose to postpone this discussion closer to the release of lenny so you can have some hard facts regarding my (our?) responsiveness or carelessness. Is that acceptable to you (you being security@)? >> I don't think that it serves our users to not provide security support >> for asterisk, especially considering its popularity. > > The question is what is better: > > . stale version of Asterisk with local and remote vulnerabilities >in Debian stable, OR > > . no version of Asterisk in Debian stable at all > > Moritz preference is the second. If it comes to that, I definitely agree with this. Regards, Faidon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#435521: closed by Mark Purcell <[EMAIL PROTECTED]> (Re: Asterisk SIP DOS Vulnerability)
On Sat, 18 Aug 2007, Kilian Krause wrote: > > Comments? > > If the rest of pkg-voip developers agrees, i'll just put up a pseudo > RC-bug against asterisk to make sure it's not progressing into testing > anymore (and therefore not contained in stable release of Lenny and > newer). Kilian, I don't agree with keeping asterisk out of lenny permanently, I think we should wait until closer to the lenny release and then make that decision. In the event that asterisk 1.4.x is stable and in maintenance fixes upstream, then I see no reason why it should be excluded from lenny. Asterisk 1.2.x is a different beast, and etch was released with the current asterisk 1.2.x then we could maintain, via upstream security releases. But etch was released with an early asterisk 1.2, and that is what we have to work with. I can see an argument for asterisk 1.2.x being removed from etch. We need to either: 1. Continue/ start to backporting security fixes from 1.2.x, or 2. Remove asterisk 1.2.x from etch, and/or 3. Track upstream 1.2.x security releases, via volatile or just direct our users to pkg-voip.buildserver.net for etch packages. For lenny, I recommend we get ftp-master to force the removal of asterisk 1.2.x, it FTBFS, it has vulnerabilities etc. In the meantime, I think it is suitable for asterisk 1.4 to migrate to lenny via unstable per the normal rules. As vulnerabilities are discovered we publish the fix into unstable and migrate according to the two/five day rules. Mark signature.asc Description: This is a digitally signed message part.
Bug#435521: closed by Mark Purcell <[EMAIL PROTECTED]> (Re: Asterisk SIP DOS Vulnerability)
Hi Moritz, On Fri, Aug 17, 2007 at 10:53:48PM +0200, Moritz Muehlenhoff wrote: > Mark Purcell wrote: > > On Wed, 8 Aug 2007, Lionel Elie Mamane wrote: > > > Yes, but we should still fix that in stable, not only unstable. > > > > Yes I wasn't suggesting that we don't fix it in stable, but rather that a > > fix was available and had been uploaded to Debian (unstable). The BTS > > supports version tracking and even though the bug maybe closed, these > > security issues are still listed as open for asterisk in etch. > > > > Of course if we have a way of testing the fix in unstable is is valid > > that's even better. > > > > Of course fixing the plethora of security fixes against asterisk 1.2 is an > > issue and a fair amount of work. Whilst digium continues to provide > > supported > > releases of 1.2.x with bug fixes, by rights we should be only taking > > the diff's and applying them to debian stable via the debian security team, > > which > > is a job in itself. > > > > We are maintaining uptodate asterisk 1.2 packages built against stable > > (etch) via > > http://buildserver.net, but that is using the latest asterisk 1.2 upstream > > release and isn't a suitable security fix for upload to stable. (but would > > be a lot > > less work and would get the fixes into stable v.quickly) > > > > security team. This is an issue, we (pkg-voip) are aware we are well behind > > the > > curve on this, but were wondering if you have any ideas on a way to better > > manage? > > For Etch we need to bite the bullet and continue to support it (see my > previous > mail to Faidon), but with the current strain of vulnerabilities (19 in 2007 > alone!) > we can't support it for Lenny again. In some cases we need to accept > notoriously > error-prone packages because they are terribly important (like PHP and > Linux), but > we can't do that for Asterisk. Somewhat I have expected this. So it's good we're discussing this now. ;) To start, yes I feel that backporting fixes is a large burden. We can help, but with this amount of vulnerabilities it's very teadious. So working around it is surely the preferred choice. > For Lenny I see three solutions: (in order of my personal preferrence) > 1. Move it to volatile.debian.org and support it through builds of the > current Digium >maintenance release Definitively good choice. > 2. Drop it from stable and support it out of the archive through builds of > the current >Digium maintenance release May come even a bit handier for the pkg-voip team, as that _could_ mean supporting through pkg-voip.buildserver.net (which is in fact generated with no extra work required from the developers). > 3. For Lenny we'll most likely have a way to flag packages not having > security support >(see #436161). So, it could be included in Lenny w/o security support. > There might >still be use cases, e.g. a company-wide internal PBX. Well, in that case it seems to me as good as just dropping asterisk from Debian which would be an inconvenience to our users. Therefor I'd welcome options 1 or 2. As stated if you agree that 2. solves the problem, I think we can go with that. > Comments? If the rest of pkg-voip developers agrees, i'll just put up a pseudo RC-bug against asterisk to make sure it's not progressing into testing anymore (and therefore not contained in stable release of Lenny and newer). -- Best regards, Kilian signature.asc Description: Digital signature
Bug#435521: closed by Mark Purcell <[EMAIL PROTECTED]> (Re: Asterisk SIP DOS Vulnerability)
Faidon Liambotis wrote: > Granted, we have a very very bad record as maintainers of supporting > this security-wise but I think we can try to change that. I certainly > will try my best to provide you with patched versions to upload. > I haven't discuss this with the rest of the team yet but I think they > are willing of helping with this. The main problem is that Asterisk is team maintained and nobody in the team (except you at the moment) seems to care about a save version of asterisk in stable and oldstable. The security team itself is not able to support the package on its own and thus has to depend on the respective maintainers. > I don't think that it serves our users to not provide security support > for asterisk, especially considering its popularity. The question is what is better: . stale version of Asterisk with local and remote vulnerabilities in Debian stable, OR . no version of Asterisk in Debian stable at all Moritz preference is the second. Regards, Joey -- WARNING: Do not execute! This call violates patent DE10108564. http://www.elug.de/projekte/patent-party/patente/DE10108564 wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/ Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#435521: closed by Mark Purcell <[EMAIL PROTECTED]> (Re: Asterisk SIP DOS Vulnerability)
[removing pkg-voip and security team members from the Cc list since they will get the mail] Moritz Muehlenhoff wrote: > For Etch we need to bite the bullet and continue to support it (see my > previous > mail to Faidon), but with the current strain of vulnerabilities (19 in 2007 > alone!) > we can't support it for Lenny again. In some cases we need to accept > notoriously > error-prone packages because they are terribly important (like PHP and > Linux), but > we can't do that for Asterisk. > > For Lenny I see three solutions: (in order of my personal preferrence) > 1. Move it to volatile.debian.org and support it through builds of the > current Digium >maintenance release > 2. Drop it from stable and support it out of the archive through builds of > the current >Digium maintenance release > 3. For Lenny we'll most likely have a way to flag packages not having > security support >(see #436161). So, it could be included in Lenny w/o security support. > There might >still be use cases, e.g. a company-wide internal PBX. I have to say that I find all of these unacceptable. Granted, Asterisk had some vulnerabilities recently -which IMHO is because it's getting more attention recently- but upstream has a good record responding to these in time with code and even their own advisories! They even provide security updates to their old major version (1.2) at the same time as the new one (1.4) which fits our release cycle. The fixes are easily spotted since they do have both of their VCS and BTS open: the commit messages refer to the advisory and the advisories link to the bug. In the fixes I sent you, the patches are from their repository *completely* unchanged. They applied cleanly to our version! Other vendors and distributions security support Asterisk, including Ubuntu which contains versions of ours. Granted, we have a very very bad record as maintainers of supporting this security-wise but I think we can try to change that. I certainly will try my best to provide you with patched versions to upload. I haven't discuss this with the rest of the team yet but I think they are willing of helping with this. I don't think that it serves our users to not provide security support for asterisk, especially considering its popularity. Regards, Faidon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#435521: closed by Mark Purcell <[EMAIL PROTECTED]> (Re: Asterisk SIP DOS Vulnerability)
Mark Purcell wrote: > On Wed, 8 Aug 2007, Lionel Elie Mamane wrote: > > Yes, but we should still fix that in stable, not only unstable. > > Yes I wasn't suggesting that we don't fix it in stable, but rather that a > fix was available and had been uploaded to Debian (unstable). The BTS > supports version tracking and even though the bug maybe closed, these > security issues are still listed as open for asterisk in etch. > > Of course if we have a way of testing the fix in unstable is is valid > that's even better. > > Of course fixing the plethora of security fixes against asterisk 1.2 is an > issue and a fair amount of work. Whilst digium continues to provide > supported > releases of 1.2.x with bug fixes, by rights we should be only taking > the diff's and applying them to debian stable via the debian security team, > which > is a job in itself. > > We are maintaining uptodate asterisk 1.2 packages built against stable (etch) > via > http://buildserver.net, but that is using the latest asterisk 1.2 upstream > release and isn't a suitable security fix for upload to stable. (but would be > a lot > less work and would get the fixes into stable v.quickly) > > security team. This is an issue, we (pkg-voip) are aware we are well behind > the > curve on this, but were wondering if you have any ideas on a way to better > manage? For Etch we need to bite the bullet and continue to support it (see my previous mail to Faidon), but with the current strain of vulnerabilities (19 in 2007 alone!) we can't support it for Lenny again. In some cases we need to accept notoriously error-prone packages because they are terribly important (like PHP and Linux), but we can't do that for Asterisk. For Lenny I see three solutions: (in order of my personal preferrence) 1. Move it to volatile.debian.org and support it through builds of the current Digium maintenance release 2. Drop it from stable and support it out of the archive through builds of the current Digium maintenance release 3. For Lenny we'll most likely have a way to flag packages not having security support (see #436161). So, it could be included in Lenny w/o security support. There might still be use cases, e.g. a company-wide internal PBX. Comments? Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#435521: closed by Mark Purcell <[EMAIL PROTECTED]> (Re: Asterisk SIP DOS Vulnerability)
On Wed, 8 Aug 2007, Lionel Elie Mamane wrote: > Yes, but we should still fix that in stable, not only unstable. Yes I wasn't suggesting that we don't fix it in stable, but rather that a fix was available and had been uploaded to Debian (unstable). The BTS supports version tracking and even though the bug maybe closed, these security issues are still listed as open for asterisk in etch. Of course if we have a way of testing the fix in unstable is is valid that's even better. Of course fixing the plethora of security fixes against asterisk 1.2 is an issue and a fair amount of work. Whilst digium continues to provide supported releases of 1.2.x with bug fixes, by rights we should be only taking the diff's and applying them to debian stable via the debian security team, which is a job in itself. We are maintaining uptodate asterisk 1.2 packages built against stable (etch) via http://buildserver.net, but that is using the latest asterisk 1.2 upstream release and isn't a suitable security fix for upload to stable. (but would be a lot less work and would get the fixes into stable v.quickly) security team. This is an issue, we (pkg-voip) are aware we are well behind the curve on this, but were wondering if you have any ideas on a way to better manage? Mark signature.asc Description: This is a digitally signed message part.
