Re: Testing Asterisk for Wheezy LTS
On 11.01.2017 23:31, Gabriel Filion wrote: > Hi there, > > sorry it took a while. > > Markus Koschany: >> On 26.12.2016 20:04, Gabriel Filion wrote: >> thank you very much for testing Asterisk. If you could test sip as well >> when you are back in office, that would be great. We don't need to rush >> the update and since there were some bigger changes in sip related code >> more feedback is always appreciated. > > I've installed the packages for 1.8.13.1~dfsg1-3+deb7u5 on another > wheezy server where phones are connected and SIP is working correctly > there. (as well as IAX2 and the other stuff I tested before) Thank you very much again for your time and the additional tests. I will upload the the new version shortly. Best, Markus signature.asc Description: OpenPGP digital signature
Re: Testing Asterisk for Wheezy LTS
Hi there, sorry it took a while. Markus Koschany: > On 26.12.2016 20:04, Gabriel Filion wrote: > thank you very much for testing Asterisk. If you could test sip as well > when you are back in office, that would be great. We don't need to rush > the update and since there were some bigger changes in sip related code > more feedback is always appreciated. I've installed the packages for 1.8.13.1~dfsg1-3+deb7u5 on another wheezy server where phones are connected and SIP is working correctly there. (as well as IAX2 and the other stuff I tested before) signature.asc Description: OpenPGP digital signature
Re: Testing Asterisk for Wheezy LTS
Hi there, Markus Koschany: > I have prepared a new security update for Asterisk. I am CCing Gabriel > because he was interested to help with testing in the past. Feedback is > very much appreciated. You can find amd64 binary packages and the debdiff at > > https://people.debian.org/~apo/wheezy-lts/ I've installed the packages asterisk, asterisk-config, asterisk-doc, asterisk-modules and asterisk-voicemail and tested a couple of features. IVR, voicemail, ConfBridge seem to be working great. also iax is working great. however I can't test sip right now since I'm not in the office for a couple of days signature.asc Description: OpenPGP digital signature
Re: testing asterisk for Wheezy LTS
Hi Balint, On Wed, 7 Sep 2016, Bálint Réczey wrote: Are you still working on the remaining CVE-s? yes, I am still working on them. Thorsten
Re: testing asterisk for Wheezy LTS
Hi Thorsten, 2016-05-18 22:08 GMT+02:00 Thorsten Alteholz: > Hi Antoine, > > On Tue, 17 May 2016, Antoine Beaupré wrote: >> >> Those issues should have been fixed in the same upload, > > > ah, ok, I think this is the problem. In case you know that fixing an issue > takes a longer time than usual, in my opinion it is better to fix the rest > first and do another upload later. > >> The comment regarding the status was that, since the CVEs were not >> marked as resolved, they should have been marked (if you >> considered them minor enough to not warrant an upload) or you should >> have removed yourself from the "asterisk" line in dla-needed.txt so that >> others know you are not working on it anymore. > > No, the status of them is quite correct. They must not be marked > and as I am working on them, my name should remain in dla-needed.txt. > Thats what I tried to express in the comment of r41394 ... Are you still working on the remaining CVE-s? Cheers, Balint
Re: testing asterisk for Wheezy LTS
On 2016-05-17 14:01:24, Thorsten Alteholz wrote: > Hi Antoine, > > On Tue, 17 May 2016, Antoine Beaupré wrote: >> Both are what seem to be serious enough DOS attacks, and are not marked >> no-dsa or anything. You are still assigned the package in dla-needed.txt >> so for now I'll assume you will complete the work, but please do update >> the status correctly next time, or let us know of what the next steps >> are. > > I am not sure that I understand you. Can you please explain where there > has been an incorrect status? Hmm... Well, maybe I'm confused. Let me share what I know. You recently published an Asterisk package to solve security issues in Debian LTS. I am referring to version 1.8.13.1~dfsg1-3+deb7u4 uploaded announced here: https://tracker.debian.org/news/765813 There was also a DLA released, two weeks ago: https://security-tracker.debian.org/tracker/DLA-455-1 https://lists.debian.org/debian-lts-announce/2016/05/msg5.html This release fixed CVEs CVE-2014-2286, CVE-2014-4046, CVE-2014-6610, CVE-2014-8412, CVE-2014-8418 and CVE-2015-3008. However, there are still two more CVEs still open in the tracker: https://security-tracker.debian.org/tracker/source-package/asterisk That is: https://security-tracker.debian.org/tracker/CVE-2014-4047 and: https://security-tracker.debian.org/tracker/CVE-2014-2287 Those issues should have been fixed in the same upload, in my opinion, unless they came up during the last two weeks. I suspect they were already present because the CVE number dates the CVE back to 2014. Hence my first question: Could you clarify why CVE-2014-4047 and CVE-2014-2287 were not included in this upload? The comment regarding the status was that, since the CVEs were not marked as resolved, they should have been marked (if you considered them minor enough to not warrant an upload) or you should have removed yourself from the "asterisk" line in dla-needed.txt so that others know you are not working on it anymore. I hope that clarifies my comments! Let me know if you need further clarification. A. -- Omnis enim ex infirmitate feritas est. All cruelty springs from weakness. - Lucius Annaeus Seneca (58 AD)
Re: testing asterisk for Wheezy LTS
Hi Antoine, On Tue, 17 May 2016, Antoine Beaupré wrote: Both are what seem to be serious enough DOS attacks, and are not marked no-dsa or anything. You are still assigned the package in dla-needed.txt so for now I'll assume you will complete the work, but please do update the status correctly next time, or let us know of what the next steps are. I am not sure that I understand you. Can you please explain where there has been an incorrect status? Thorsten
Re: testing asterisk for Wheezy LTS
On 2016-04-24 13:56:06, Thorsten Alteholz wrote: > Hi everybody, > > I uploaded version 1.8.13.1~dfsg1-3+deb7u4 of asterisk to: > https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/amd64/ > https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/i386/ > > Please give it a try and tell me about any problems you met. Could you clarify why CVE-2014-4047 and CVE-2014-2287 were not included in this upload? Both are what seem to be serious enough DOS attacks, and are not marked no-dsa or anything. You are still assigned the package in dla-needed.txt so for now I'll assume you will complete the work, but please do update the status correctly next time, or let us know of what the next steps are. A. -- The lazy man does not stand in the way of progress. When he sees progress roaring down upon him he steps nimbly out of the way - Christopher Morley, "On Laziness"
Re: testing asterisk for Wheezy LTS
On 2016-05-02 18:58:23, Gabriel Filion wrote: > Oops, I forgot to mention that I am not subscribed to the mailing list. > So please include me in CC for replies. > >> thanks alot for testing the package, I really appreciate it. >> >> On Thu, 28 Apr 2016, Gabriel Filion wrote: >> >>> > https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/amd64/ >>> >>>however I've found a regression: manager connections (in my case >>>established from localhost) are super slow and/or not responding > at all. >> >> >> ok, I uploaded a new package (with the same version), so if you don't >> mind can you please test it again? > > Thanks for the update. > > I've downloaded the new packages and tested them and they seem to be > working great. SIP/IAX2 are working fine and the management port is > responding correctly this time. I've also tested the voicemail app and > it's responding OK. Thanks so much for testing, I guess we can go on with the DLA now! A. -- Les plus beaux chants sont les chants de revendications Le vers doit faire l'amour dans la tête des populations. À l'école de la poésie, on n'apprend pas: on se bat! - Léo Ferré, "Préface"
Re: testing asterisk for Wheezy LTS
Oops, I forgot to mention that I am not subscribed to the mailing list. So please include me in CC for replies. > thanks alot for testing the package, I really appreciate it. > > On Thu, 28 Apr 2016, Gabriel Filion wrote: > >> https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/amd64/ >> >>however I've found a regression: manager connections (in my case >>established from localhost) are super slow and/or not responding at all. > > > ok, I uploaded a new package (with the same version), so if you don't > mind can you please test it again? Thanks for the update. I've downloaded the new packages and tested them and they seem to be working great. SIP/IAX2 are working fine and the management port is responding correctly this time. I've also tested the voicemail app and it's responding OK. signature.asc Description: OpenPGP digital signature