Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability
Moritz, hi, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security http://downloads.asterisk.org/pub/security/AST-2009-010.html Thanks! Fix just uploaded to sid; urgency high but likely to be blocked by the uw-imap transition. Due to the severity of the vulnerability, it is my opinion that this should be fixed in lenny via the security queue. The advisory should also announce the EoL of asterisk in etch (also affected), as previously agreed. We have several fixes accumulated for an upcoming spu upload, including but not limited to several CVEs that we have agreed before to not handle them through the security queue due to their low severity. For more information, you can have a look at the changelog[1] as prepared in pkg-voip's SVN. Would you like me to include some of these security fixes to the security upload as well? Or should I just go and do an upload containing only the fix for CVE-2009-4055 and handle the rest in spu as originally intented? Thanks, Faidon 1: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/changelog -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability
On Sun, Dec 06, 2009 at 08:48:33PM +0200, Faidon Liambotis wrote: Moritz, hi, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security http://downloads.asterisk.org/pub/security/AST-2009-010.html Thanks! Fix just uploaded to sid; urgency high but likely to be blocked by the uw-imap transition. Due to the severity of the vulnerability, it is my opinion that this should be fixed in lenny via the security queue. The advisory should also announce the EoL of asterisk in etch (also affected), as previously agreed. We have several fixes accumulated for an upcoming spu upload, including but not limited to several CVEs that we have agreed before to not handle them through the security queue due to their low severity. For more information, you can have a look at the changelog[1] as prepared in pkg-voip's SVN. Would you like me to include some of these security fixes to the security upload as well? Or should I just go and do an upload containing only the fix for CVE-2009-4055 and handle the rest in spu as originally intented? If we're issuing a DSA we should include the minor fixes originally targeted for a spu update. Unfortunately someone else will need to process this update, I'm currently quite busy. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability
On Tue, Dec 01, 2009 at 11:13:30PM +0100, Moritz Muehlenhoff wrote: Package: asterisk Severity: grave Tags: security http://downloads.asterisk.org/pub/security/AST-2009-010.html For the record, the patch itself is trivial and seems to be very simple to backport. https://issues.asterisk.org/view.php?id=16242 See links to specific commits from there. The issue seems to affect both Etch, Lenny and Squeeze. For Sid/Squeeze, upstream 1.6.0.2-rc7 should be released shortly (it has already been tagged). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability
Package: asterisk Severity: grave Tags: security http://downloads.asterisk.org/pub/security/AST-2009-010.html -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.31-1-686 (SMP w/1 CPU core) Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages asterisk depends on: ii adduser3.111 add and remove users and groups pn asterisk-config | aste none(no description available) pn asterisk-sounds-main none(no description available) ii libasound2 1.0.21a-1 shared library for ALSA applicatio pn libc-client2007b none(no description available) ii libc6 2.10.1-7 GNU C Library: Shared libraries pn libcap1none(no description available) ii libcurl3 7.19.7-1 Multi-protocol file transfer libra ii libgcc11:4.4.2-3 GCC support library ii libgsm11.0.13-3 Shared libraries for GSM speech co pn libiksemel3none(no description available) ii libncurses55.7+20090803-2shared libraries for terminal hand ii libnewt0.520.52.10-4.1 Not Erik's Windowing Toolkit - tex ii libogg01.1.4~dfsg-1 Ogg bitstream library ii libpopt0 1.15-1lib for parsing cmdline parameters ii libpq5 8.4.1-1 PostgreSQL C client library pn libpri1.0 none(no description available) pn libradiusclient-ng2none(no description available) pn libsnmp15 none(no description available) ii libspeex1 1.2~rc1-1 The Speex codec runtime library pn libspeexdsp1 none(no description available) pn libsqlite0 none(no description available) ii libssl0.9.80.9.8k-6 SSL shared libraries ii libstdc++6 4.4.2-3 The GNU Standard C++ Library v3 pn libtonezone1 none(no description available) ii libvorbis0a1.2.3-3 The Vorbis General Audio Compressi ii libvorbisenc2 1.2.3-3 The Vorbis General Audio Compressi pn libvpb0none(no description available) pn unixodbc none(no description available) ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime asterisk recommends no packages. Versions of packages asterisk suggests: pn asterisk-dev none (no description available) pn asterisk-doc none (no description available) pn asterisk-h323 none (no description available) pn ekiga none (no description available) pn kphonenone (no description available) pn ohphone none (no description available) pn twinkle none (no description available) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
