Re: Testing Asterisk for Wheezy LTS

2017-01-12 Thread Markus Koschany 
On 11.01.2017 23:31, Gabriel Filion wrote:
> Hi there,
> 
> sorry it took a while.
> 
> Markus Koschany:
>> On 26.12.2016 20:04, Gabriel Filion wrote:
>> thank you very much for testing Asterisk. If you could test sip as well
>> when you are back in office, that would be great. We don't need to rush
>> the update and since there were some bigger changes in sip related code
>> more feedback is always appreciated.
> 
> I've installed the packages for 1.8.13.1~dfsg1-3+deb7u5 on another
> wheezy server where phones are connected and SIP is working correctly
> there. (as well as IAX2 and the other stuff I tested before)

Thank you very much again for your time and the additional tests. I will
upload the the new version shortly.

Best,

Markus




signature.asc
Description: OpenPGP digital signature

Re: Testing Asterisk for Wheezy LTS

2017-01-11 Thread Gabriel Filion 
Hi there,

sorry it took a while.

Markus Koschany:
> On 26.12.2016 20:04, Gabriel Filion wrote:
> thank you very much for testing Asterisk. If you could test sip as well
> when you are back in office, that would be great. We don't need to rush
> the update and since there were some bigger changes in sip related code
> more feedback is always appreciated.

I've installed the packages for 1.8.13.1~dfsg1-3+deb7u5 on another
wheezy server where phones are connected and SIP is working correctly
there. (as well as IAX2 and the other stuff I tested before)



signature.asc
Description: OpenPGP digital signature

Re: Testing Asterisk for Wheezy LTS

2016-12-26 Thread Gabriel Filion 
Hi there,

Markus Koschany:
> I have prepared a new security update for Asterisk. I am CCing Gabriel
> because he was interested to help with testing in the past. Feedback is
> very much appreciated. You can find amd64 binary packages and the debdiff at
> 
> https://people.debian.org/~apo/wheezy-lts/

I've installed the packages asterisk, asterisk-config, asterisk-doc,
asterisk-modules and asterisk-voicemail and tested a couple of features.

IVR, voicemail, ConfBridge seem to be working great. also iax is working
great. however I can't test sip right now since I'm not in the office
for a couple of days



signature.asc
Description: OpenPGP digital signature

Re: testing asterisk for Wheezy LTS

2016-09-07 Thread Thorsten Alteholz 

Hi Balint,

On Wed, 7 Sep 2016, Bálint Réczey wrote:

Are you still working on the remaining CVE-s?


yes, I am still working on them.

  Thorsten

Re: testing asterisk for Wheezy LTS

2016-09-06 Thread Bálint Réczey 
Hi Thorsten,

2016-05-18 22:08 GMT+02:00 Thorsten Alteholz :
> Hi Antoine,
>
> On Tue, 17 May 2016, Antoine Beaupré wrote:
>>
>> Those issues should have been fixed in the same upload,
>
>
> ah, ok, I think this is the problem. In case you know that fixing an issue
> takes a longer time than usual, in my opinion it is better to fix the rest
> first and do another upload later.
>
>> The comment regarding the status was that, since the CVEs were not
>> marked as resolved, they should have been marked  (if you
>> considered them minor enough to not warrant an upload) or you should
>> have removed yourself from the "asterisk" line in dla-needed.txt so that
>> others know you are not working on it anymore.
>
> No, the status of them is quite correct. They must not be marked 
> and as I am working on them, my name should remain in dla-needed.txt.
> Thats what I tried to express in the comment of r41394 ...

Are you still working on the remaining CVE-s?

Cheers,
Balint

Re: testing asterisk for Wheezy LTS

2016-05-17 Thread Antoine Beaupré 
On 2016-05-17 14:01:24, Thorsten Alteholz wrote:
> Hi Antoine,
>
> On Tue, 17 May 2016, Antoine Beaupré wrote:
>> Both are what seem to be serious enough DOS attacks, and are not marked
>> no-dsa or anything. You are still assigned the package in dla-needed.txt
>> so for now I'll assume you will complete the work, but please do update
>> the status correctly next time, or let us know of what the next steps
>> are.
>
> I am not sure that I understand you. Can you please explain where there 
> has been an incorrect status?

Hmm... Well, maybe I'm confused. Let me share what I know.

You recently published an Asterisk package to solve security issues in
Debian LTS. I am referring to version 1.8.13.1~dfsg1-3+deb7u4 uploaded
announced here:

https://tracker.debian.org/news/765813

There was also a DLA released, two weeks ago:

https://security-tracker.debian.org/tracker/DLA-455-1
https://lists.debian.org/debian-lts-announce/2016/05/msg5.html

This release fixed CVEs CVE-2014-2286, CVE-2014-4046, CVE-2014-6610,
CVE-2014-8412, CVE-2014-8418 and CVE-2015-3008.

However, there are still two more CVEs still open in the tracker:

https://security-tracker.debian.org/tracker/source-package/asterisk

That is:

https://security-tracker.debian.org/tracker/CVE-2014-4047

and:

https://security-tracker.debian.org/tracker/CVE-2014-2287

Those issues should have been fixed in the same upload, in my opinion,
unless they came up during the last two weeks. I suspect they were
already present because the CVE number dates the CVE back to 2014.

Hence my first question: Could you clarify why CVE-2014-4047 and
CVE-2014-2287 were not included in this upload?

The comment regarding the status was that, since the CVEs were not
marked as resolved, they should have been marked  (if you
considered them minor enough to not warrant an upload) or you should
have removed yourself from the "asterisk" line in dla-needed.txt so that
others know you are not working on it anymore.

I hope that clarifies my comments! Let me know if you need further
clarification.

A.

-- 
Omnis enim ex infirmitate feritas est.
All cruelty springs from weakness.
 - Lucius Annaeus Seneca (58 AD)

Re: testing asterisk for Wheezy LTS

2016-05-17 Thread Thorsten Alteholz 

Hi Antoine,

On Tue, 17 May 2016, Antoine Beaupré wrote:

Both are what seem to be serious enough DOS attacks, and are not marked
no-dsa or anything. You are still assigned the package in dla-needed.txt
so for now I'll assume you will complete the work, but please do update
the status correctly next time, or let us know of what the next steps
are.


I am not sure that I understand you. Can you please explain where there 
has been an incorrect status?


  Thorsten

Re: testing asterisk for Wheezy LTS

2016-05-17 Thread Antoine Beaupré 
On 2016-04-24 13:56:06, Thorsten Alteholz wrote:
> Hi everybody,
>
> I uploaded version 1.8.13.1~dfsg1-3+deb7u4 of asterisk to:
>   https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/amd64/
>   https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/i386/
>
> Please give it a try and tell me about any problems you met.

Could you clarify why CVE-2014-4047 and CVE-2014-2287 were not included
in this upload?

Both are what seem to be serious enough DOS attacks, and are not marked
no-dsa or anything. You are still assigned the package in dla-needed.txt
so for now I'll assume you will complete the work, but please do update
the status correctly next time, or let us know of what the next steps
are.

A.

-- 
The lazy man does not stand in the way of progress. When he sees
progress roaring down upon him he steps nimbly out of the way
 - Christopher Morley, "On Laziness"

Re: testing asterisk for Wheezy LTS

2016-05-03 Thread Antoine Beaupré 
On 2016-05-02 18:58:23, Gabriel Filion wrote:
> Oops, I forgot to mention that I am not subscribed to the mailing list.
> So please include me in CC for replies.
>
>> thanks alot for testing the package, I really appreciate it.
>>
>> On Thu, 28 Apr 2016, Gabriel Filion wrote:
>>
>>>
> https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/amd64/
>>>
>>>however I've found a regression: manager connections (in my case
>>>established from localhost) are super slow and/or not responding
> at all.
>>
>>
>> ok, I uploaded a new package (with the same version), so if you don't
>> mind can you please test it again?
>
> Thanks for the update.
>
> I've downloaded the new packages and tested them and they seem to be
> working great. SIP/IAX2 are working fine and the management port is
> responding correctly this time. I've also tested the voicemail app and
> it's responding OK.

Thanks so much for testing, I guess we can go on with the DLA now!

A.

-- 
Les plus beaux chants sont les chants de revendications
Le vers doit faire l'amour dans la tête des populations.
À l'école de la poésie, on n'apprend pas: on se bat!
- Léo Ferré, "Préface"

Re: testing asterisk for Wheezy LTS

2016-05-02 Thread Gabriel Filion 
Oops, I forgot to mention that I am not subscribed to the mailing list.
So please include me in CC for replies.

> thanks alot for testing the package, I really appreciate it.
>
> On Thu, 28 Apr 2016, Gabriel Filion wrote:
>
>>
https://people.debian.org/~alteholz/packages/wheezy-lts/asterisk/amd64/
>>
>>however I've found a regression: manager connections (in my case
>>established from localhost) are super slow and/or not responding
at all.
>
>
> ok, I uploaded a new package (with the same version), so if you don't
> mind can you please test it again?

Thanks for the update.

I've downloaded the new packages and tested them and they seem to be
working great. SIP/IAX2 are working fine and the management port is
responding correctly this time. I've also tested the voicemail app and
it's responding OK.



signature.asc
Description: OpenPGP digital signature