Bug#666944: [Secure-testing-team] Bug#666944: asterisk: Buffer overflow vulnerability

Jonathan Wiltshire jmw at debian.org
Mon Apr 2 21:50:07 UTC 2012


On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote:
> Package: asterisk
> Version: 1:1.6.2.9-2+squeeze4
> Severity: grave
> Tags: security squeeze
> Justification: user security hole
> 
> Per:
> 
> http://downloads.asterisk.org/pub/security/AST-2012-002.txt
> 
> the asterisk in squeeze is vulnerable to a buffer overflow.

Security team: the tracker says not-affected (Vulnerable code not present);
this seems not to be the case but the default configuration protects from
this vulnerability. I will take it on as a no-dsa if you wish.

John: on that basis, do you agree the severity should be reduced (probably
to important)?


> The package in testing may also be vulnerable to:
> 
> http://downloads.asterisk.org/pub/security/AST-2012-003.txt

Currently it is. I have suggested to the release team that they age the
version in sid to get the fix into testing.


-- 
Jonathan Wiltshire                                      jmw at debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20120402/f707d524/attachment.pgp>


More information about the Pkg-voip-maintainers mailing list