Asterisk: multiple vulnerabilities

Steffen Joeris steffen.joeris at skolelinux.de
Tue Aug 21 04:25:04 UTC 2007 

On Tue, 21 Aug 2007 01:31:49 pm Faidon Liambotis wrote:
> Hello,
> Sorry for being late, real life issues and a load of Asterisk bugs in
> unstable kept me busy.
>
> I made updates to the security version I mentioned before.
> Attached is the diff; this version can also be found on pkg-voip's SVN[1].
>
> Moritz Muehlenhoff wrote:
> >> I'm a member of the Debian VoIP packages team and I have prepared a
> >> security update for Asterisk for stable that fixes CVE-2007-1594,
> >> CVE-2007-2294, CVE-2007-3762, CVE-2007-3763 and CVE-2007-3764.
> >
> > Good, it's nice to see progress on asterisk.
> >
> > There are further issues in Etch:
> > CVE-2007-2297
>
> Duplicate of CVE-2007-1594 but marked in the changelog anyway.
> If you look at the CVE, they both reference #9313 in Digium's BTS.
>
> > CVE-2007-1306
> > CVE-2007-1561
>
> Fixed.
>
> > CVE-2007-1595
>
> Only affecting Asterisk 1.4; already fixed in unstable and not affecting
> stable and testing.
>
> > CVE-2007-2488
>
> Fixed.
>
> > CVE-2007-4103
>
> As said before, this is ASA-2007-018.
> The advisory mentions that it only affects 1.2.20, 1.2.21, 1.2.21.1,
> 1.2.22 and the diff does not apply.
> stable/testing have 1.2.13 and hence they are not affected.
>
> I checked Skolelinux and Ubuntu's security updates.
> This version is a superset of both, i.e. it is fixing more
> vulnerabilities than both of them.
Just to clarify, there was no DESA (Debian-EduSecurityAnnounce) for 
debian-edu/skolelinux for asterisk, as we are not using asterisk and rely on 
DSAs for the packages we take from debian stable.
I was not working on asterisk from a debian-edu/skolelinux point of view, but 
from the testing-security's point of view. I cannot say anything about the 
DSA or upload to stable-security, as I am not a member of the stable security 
team, sorry.
Thanks for your efforts on asterisk, I can delete my etch versions now and 
know that you are taking care of it. Thanks again :)

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070821/2cc6eb2d/attachment-0001.pgp

More information about the Pkg-voip-maintainers mailing list