Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Faidon Liambotis
paravoid at debian.org
Mon Oct 5 12:02:55 UTC 2009
Moritz Muehlenhoff wrote:
>> You are right that we should do an update for a point release of lenny
>> though to address a minor information disclosure vulnerability[1], plus
>> some other non-security related bugs. However, I'd like to avoid
>> upgrading to a newer 1.4.x release but backport changes instead; we used
>> to heavily patch our sources and changing the upstream release is prone
>> to errors.
>
> Fine with me.
OK, will do soon.
>> As for etch, the current version should be affected by multiple
>> vulnerabilities (information disclosure *and* remote DoS) and I'm
>> currently unable to properly take care of them and test it. Unless a
>> comaintainer steps up (please people, do!) I'd more inclined to suggest
>> a premature end of security support (are there precedents for this?)
>
> We can do that, yes. The are some precedents, like rails or Mozilla.
Hm, OK, I'll let you know in a few days.
I guess an e-mail to security at d.o would be sufficient?
Thanks,
Faidon
More information about the Pkg-voip-maintainers
mailing list