Bug#680470: Two security issues: AST-2012-010 / AST-2012-011
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Thu Aug 30 16:43:21 UTC 2012
On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote:
> On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> >
> > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
> > http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)
> >
> > 1.6 is not mentioned in the "Affected versions", but I haven't validated whether
> > because it's no longer supported/tracked upstream or because the issues
> > are not present. Can you double-check?
> >
> > For sid/wheezy, please remember that we're in freeze and only isolated fixes
> > are to be made instead of updating to a new full upstream release.
> >
> > Once you've uploaded, please send an unblock request by filing a bug against
> > the release.debian.org pseudo package.
>
> What's the status? This is marked pending for nearly two months now!
For some reason I had the impression we had 1.8.13.1 packaged.
I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the
fixes for those two issues:
http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log
For the record, they were fixed in the branch in:
http://svnview.digium.com/svn/asterisk?view=revision&revision=369652
http://svnview.digium.com/svn/asterisk?view=revision&revision=369436
Note, however, that today we had the following commits:
http://svnview.digium.com/svn/asterisk?view=revision&revision=372015
http://svnview.digium.com/svn/asterisk?view=revision&revision=371998
So this is juas a good a timing as any for a new package.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list