Bug#435521: closed by Mark Purcell <msp at debian.org> (Re: Asterisk SIP DOS Vulnerability)

Faidon Liambotis paravoid at debian.org
Fri Aug 17 21:32:34 UTC 2007 

[removing pkg-voip and security team members from the Cc list since they
will get the mail]

Moritz Muehlenhoff wrote:
> For Etch we need to bite the bullet and continue to support it (see my previous
> mail to Faidon), but with the current strain of vulnerabilities (19 in 2007 alone!)
> we can't support it for Lenny again. In some cases we need to accept notoriously
> error-prone packages because they are terribly important (like PHP and Linux), but
> we can't do that for Asterisk.
> 
> For Lenny I see three solutions: (in order of my personal preferrence)
> 1. Move it to volatile.debian.org and support it through builds of the current Digium
>    maintenance release
> 2. Drop it from stable and support it out of the archive through builds of the current
>    Digium maintenance release
> 3. For Lenny we'll most likely have a way to flag packages not having security support
>    (see #436161). So, it could be included in Lenny w/o security support. There might
>    still be use cases, e.g. a company-wide internal PBX.
I have to say that I find all of these unacceptable.

Granted, Asterisk had some vulnerabilities recently -which IMHO is
because it's getting more attention recently- but upstream has a good
record responding to these in time with code and even their own advisories!

They even provide security updates to their old major version (1.2) at
the same time as the new one (1.4) which fits our release cycle.

The fixes are easily spotted since they do have both of their VCS and
BTS open: the commit messages refer to the advisory and the advisories
link to the bug.
In the fixes I sent you, the patches are from their repository
*completely* unchanged. They applied cleanly to our version!

Other vendors and distributions security support Asterisk, including
Ubuntu which contains versions of ours.

Granted, we have a very very bad record as maintainers of supporting
this security-wise but I think we can try to change that. I certainly
will try my best to provide you with patched versions to upload.
I haven't discuss this with the rest of the team yet but I think they
are willing of helping with this.

I don't think that it serves our users to not provide security support
for asterisk, especially considering its popularity.

Regards,
Faidon

More information about the Pkg-voip-maintainers mailing list