Asterisk: multiple vulnerabilities
Faidon Liambotis
paravoid at debian.org
Thu Aug 23 01:06:24 UTC 2007
Moritz Muehlenhoff wrote:
> As a general rule of thumb, no. But in the case of asterisk we could
> make an exception and advise users to upgrade to stable. asterisk will
> typically on run on a more or less dedicated PBX machine anyway.
Good, I think this would be nice, even though I don't like being the
special case :)
Anyway, as said before CVE-2007-3764 (ASA-2007-016), CVE-2007-1306,
CVE-2007-1561 plus all of the CVEs not affecting etch, are not affecting
sarge.
I created a sarge branch in our repository[1] from 1:1.0.7.dfsg.1-2, did
four commits for 1:1.0.7.dfsg.1-2sarge1 to ...4 and tagged them.
So, attached is the current diff between tags/1.0.7.dfsg.1-2sarge4 and
branches/sarge, fixing CVE-2007-1594 (ASA-2007-011, CVE-2007-2297),
CVE-2007-2294 (ASA-2007-012), CVE-2007-3762 (ASA-2007-014),
CVE-2007-2488, CVE-2007-3763 (ASA-2007-015).
Compiles cleanly with no warnings.
As I said, I am unable to runtime test it.
I double-checked and the changes seem fine to me.
A thorough review is most welcome.
Let me know if it seems OK for uploading to SecurityUploadQueue.
I hope I made it in time for the same DSA :)
Regards,
Faidon
1: svn://svn.debian.org/pkg-voip/asterisk/branches/sarge
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 2sarge5.diff
Url: http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070823/ef757f73/attachment-0001.txt
More information about the Pkg-voip-maintainers
mailing list