Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

[Faidon Liambotis]

Hi,

Moritz Muehlenhoff wrote:
> Asterisk maintainers, what should be done about stable? Would it
> make sense to update the stable version to 1.4.26.2 in a point update?
> (IIRC there's still a performance regression affecting Lenny from
> a previous security update?)
This particular vulnerability does not affect lenny/1.4.

There hasn't been a security update for lenny yet, perhaps you're
thinking etch?

You are right that we should do an update for a point release of lenny
though to address a minor information disclosure vulnerability[1], plus
some other non-security related bugs. However, I'd like to avoid
upgrading to a newer 1.4.x release but backport changes instead; we used
to heavily patch our sources and changing the upstream release is prone
to errors.

As for etch, the current version should be affected by multiple
vulnerabilities (information disclosure *and* remote DoS) and I'm
currently unable to properly take care of them and test it. Unless a
comaintainer steps up (please people, do!) I'd more inclined to suggest
a premature end of security support (are there precedents for this?)

Thanks,
Faidon

1: http://downloads.asterisk.org/pub/security/AST-2009-001.html