Need help with asterisk?

Tue Oct 11 10:46:13 UTC 2016

Hi,

Thanks for your work,

On Tue, Oct 11, 2016 at 10:35:38AM +0200, Bernhard Schmidt wrote:
> On Sat, Oct 08, 2016 at 09:21:47PM +0200, Bernhard Schmidt wrote:
> 
> > > Best would be if you can try look into squashing security-related bugs 
> > > in stable and oldstable.  Or I could could prepare that and you can take 
> > > the dialogue with the release team to get permission for releasing it.
> > 
> > I'll have a look at the one open security issue in stable, maybe I can
> > wrap something up that fixes AST-2016-007. Never dealt with the security
> > team either.
> 
> I'm in contact with the security team and we should have a DSA pretty
> soon. The only question now is how to deal with the git repo. The jessie
> branch
> (https://anonscm.debian.org/cgit/pkg-voip/asterisk.git/log/?h=jessie)
> has unreleased changes that won't be eligible for security.

The fixes there:

61d451d (origin/jessie) feed changelog

  Probably worth reverting.

db637ff add fix for ASTERISK-24711 (enable DTLS read ahead)

  A bug fix, indeed.

467993f (jessie) AST-2015-002 CURL() HTTP request injection issues

  Security fix. Still needs to be verified.

9f8ffea Add a placeholder conf in manager.c (#776080)

  Not security, but a trivial and important bug-fix. I recommend to
  include it.

> 
> How should I deal with this?
> 
> - revert the patches in the jessie branch and put the security patches
>   on top
> - add a jessie-security branch
> - force-push the jessie branch to an older commit
> 
> I think the last option would break everyones clone, so that's a no-go.
> I'm leaning to option #1. Any opinion?

I prefer it as well.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com