Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Tzafrir Cohen tzafrir.cohen at xorcom.com
Sat Apr 6 12:25:20 UTC 2013 

On Fri, Apr 05, 2013 at 03:24:29PM +0200, Salvatore Bonaccorso wrote:
> Hi Tzafrir
> 
> On Fri, Mar 29, 2013 at 06:53:31AM +0100, Salvatore Bonaccorso wrote:
> > Hi Tzafrir
> > 
> > On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> > > On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security patch upstream
> > > > 
> > > > Hi,
> > > > 
> > > > the following vulnerabilities were published for asterisk.
> > > > 
> > > > CVE-2013-2685[0]:
> > > > Buffer Overflow Exploit Through SIP SDP Header
> > > > 
> > > > CVE-2013-2686[1]:
> > > > Denial of Service in HTTP server
> > > > 
> > > > CVE-2013-2264[2]:
> > > > Username disclosure in SIP channel driver
> > > > 
> > > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > > > doublecheck that squeeze, testing and wheezy are not affected?
> > > 
> > > According to the Upstream advisories, both are in effect for 1.8 .
> > > Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> > > 1.6.2 in Stable.
> > 
> > Thank you for confirming! (note my above comment was related only to
> > one of the issues, CVE-2013-2685).
> > 
> > Could you prepare updates to be included via unstable in wheezy?
> 
> Ping? Did you had a chance to look at it already?

Update:

AST-2013-001 (CVE-2013-2685):
  Not applicable to either Stable or Testing/Unstable:
  new code not included yet even in 1.8.

AST-2013-002 (CVE-2013-2686):
  Applies to Testing/Unstable but not to Stable:
  Testing/Unstable: see patch from Upstream. Stable: httpd code does not
  read HTTP POST variables.

AST-2013-003 (CVE-2013-2264):
  Applies to both Testing and Unstable.
  Testing/Unstable: see patch from Upstream. Stable: Patch backported.

For Unstable/Testing I include two other simple bug fixes. Both trivial
backports from later 1.8.x reevisions.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the Pkg-voip-maintainers mailing list