Bug#435521: closed by Mark Purcell <msp at debian.org> (Re: Asterisk SIP DOS Vulnerability)

Sat Aug 18 12:35:59 UTC 2007

Mark Purcell wrote:
> On Sat, 18 Aug 2007, Kilian Krause wrote:
>>> Comments?
>> If the rest of pkg-voip developers agrees, i'll just put up a pseudo
>> RC-bug against asterisk to make sure it's not progressing into testing
>> anymore (and therefore not contained in stable release of Lenny and
>> newer).
> I don't agree with keeping asterisk out of lenny permanently, I think we 
> should wait until closer to the lenny release and then make that decision.  
> In the event that asterisk 1.4.x is stable and in maintenance fixes upstream,
> then I see no reason why it should be excluded from lenny.
I wholeheartly disagree with Kilian too.

What's the point of maintaining a package in Debian if it's not to be
included on Debian releases?

> Asterisk 1.2.x is a different beast, and etch was released with the current
> asterisk 1.2.x then we could maintain, via upstream security releases. But etch
> was released with an early asterisk 1.2, and that is what we have to work with.
> I can see an argument for asterisk 1.2.x being removed from etch. We need to
> either:
> 
> 1. Continue/ start to backporting security fixes from 1.2.x, or
> 2. Remove asterisk 1.2.x from etch, and/or
> 3. Track upstream 1.2.x security releases, via volatile or just direct
> our users to pkg-voip.buildserver.net for etch packages.
I don't think that removing security support for etch is sensible at
this point.
When etch was released, we promised our users that we (as in Debian)
will security support it for the whole release cycle.

We can't just back out of this promise.

Moreover, have you actually *tried* to make any security fixes?
I did and it was trivial, for the ones I catched.

Trivial as in: svn log branches/1.2, find a commit message that refers
to the ASA, svn diff -c rNNNN and apply this to our version.

Granted, others may be more complicated, but we're enough people to
support this I think.
And even if the rest of the team is not willing to do work for obsolete
versions (I can understand that), I certainly am willing to do this.

> For lenny, I recommend we get ftp-master to force the removal of 
> asterisk 1.2.x, it FTBFS, it has vulnerabilities etc. In the meantime, I 
> think it is suitable for asterisk 1.4 to migrate to lenny via unstable 
> per the normal rules. As vulnerabilities are discovered we publish the 
> fix into unstable and migrate according to the two/five day rules.
Well, that's a solution.
But, we have an RC bug against asterisk-h323 that prevents it from
entering testing that we don't know how to solve yet.
Plus, the version in testing has BRI support while the current version
in unstable doesn't and we plan to re-add support for them eventually.

So, we'll need to solve these two issues ASAP.

Has any of you tested branches/experimental? I have it working
sucessfully for enough time here at home.
I haven't tested it with PRI cards however.

Regards,
Faidon