Bug#554486: New asterisk vulnerabilities

Faidon Liambotis paravoid at debian.org
Sun Nov 8 20:06:30 UTC 2009


Moritz Muehlenhoff wrote:
> On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
>> Security Team, hi,
>>
>> Two new asterisk vulnerabilities were announced today, affecting lenny
>> and unstable; the first one affects also etch.
>>
>> http://downloads.asterisk.org/pub/security/AST-2009-008.html
>> http://downloads.asterisk.org/pub/security/AST-2009-009.html
> 
> This one is about a prototypejs issue, which is included in
> Asterisk and which was fixed in the prototypejs Debian package
> in 1.6.0.2-1. Since the code was removed since 1:1.6.2.0~rc3-1,
> it should already be fixed, am I correct?
Yes, it is mentioned in the 1:1.6.2.0~rc3-1 changelog:

* Stop shipping old static-http code in examples. Among other things, it
  includes a vulnerable version of the prototype Javascript library.

I've the same change on the lenny upload I'm preparing although I'm less
than happy with the fact that users that have already copied this from
examples to their web root will still be vulnerable.

Thanks,
Faidon





More information about the Pkg-voip-maintainers mailing list