Asterisk: multiple vulnerabilities

[Faidon Liambotis]

Steffen Joeris wrote:
> It got a bit unorganized, which was my fault as well, apologize for not 
> informing you guys properly. Please have a look at the package for etch I 
> prepared and see, if you can incorporate your changes into them or the other 
> way around. I did not get many test reports so far, except one.
> The package mainly incorporates the security version from Suse. There are also 
> other CVEs, but the code is either not present in the debian version, or only 
> experimental, or there were other issues.
I'm in the process of merging my changes with the changes made by you
(== Skolelinux) and Ubuntu and I will have a look at what Suse and may
be others did.

Overall, the changes are not *that* big.

> As you know the build-dep on libzapp-dev is missing. How do you want to build 
> the package on all the buildds? Uploading a package to -testing-security, 
> which will FTBFS is not an option. 
> If we could get it to build the same modules without FTBFS though, we could 
> upload a version to testing-security.
Stefan said[1] that the resulting binary package was missing: app_flash,
app_meetme, app_page, app_zapbarge, app_zapras, app_zapscan, chan_zap.so
and cdr_sqlite3_custom.

cdr_sqlite3_custom is a "bug" a fixed in my version; all the others are
Zaptel-related, I think.
Asterisk in lenny was built with zaptel 1.2, but now lenny has zaptel
1.4 which moved some development headers around therefore autoconf fails
to find them.

So, as I said it will need some changes to build successfully under
current lenny.

We can work on this, even I thought I don't feel entirely comfortable
making that kind of changes on a security update.
That's why I proposed to push etch binaries to testing, if that's
possible (which probably isn't).

However, I think that at the moment it's more important to push an etch
update.

Comments?

Regards,
Faidon

1: <200708112017.05547.sf at debian.org>