Bug#680470: Two security issues: AST-2012-010 / AST-2012-011
Moritz Muehlenhoff
jmm at inutil.org
Fri Aug 31 10:14:05 UTC 2012
On Thu, Aug 30, 2012 at 07:43:21PM +0300, Tzafrir Cohen wrote:
> On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote:
> > On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security
> > >
> > > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
> > > http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)
> > >
> > > 1.6 is not mentioned in the "Affected versions", but I haven't validated whether
> > > because it's no longer supported/tracked upstream or because the issues
> > > are not present. Can you double-check?
> > >
> > > For sid/wheezy, please remember that we're in freeze and only isolated fixes
> > > are to be made instead of updating to a new full upstream release.
> > >
> > > Once you've uploaded, please send an unblock request by filing a bug against
> > > the release.debian.org pseudo package.
> >
> > What's the status? This is marked pending for nearly two months now!
>
> For some reason I had the impression we had 1.8.13.1 packaged.
>
> I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the
> fixes for those two issues:
>
> http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log
>
> For the record, they were fixed in the branch in:
> http://svnview.digium.com/svn/asterisk?view=revision&revision=369652
> http://svnview.digium.com/svn/asterisk?view=revision&revision=369436
>
> Note, however, that today we had the following commits:
> http://svnview.digium.com/svn/asterisk?view=revision&revision=372015
> http://svnview.digium.com/svn/asterisk?view=revision&revision=371998
>
> So this is juas a good a timing as any for a new package.
Two new issues have been announced, we should incorporate these:
CVE-2012-2186:
http://downloads.digium.com/pub/security/AST-2012-012.html
CVE-2012-4737:
http://downloads.digium.com/pub/security/AST-2012-013.html
Cheers,
Moritz
More information about the Pkg-voip-maintainers
mailing list