[Secure-testing-commits] r39487 - data/CVE

Antoine Beaupré anarcat at moszumanska.debian.org
Fri Feb 5 18:38:31 UTC 2016 

Author: anarcat
Date: 2016-02-05 18:38:31 +0000 (Fri, 05 Feb 2016)
New Revision: 39487

Modified:
   data/CVE/list
Log:
Summary: more more patch and version information for asterisk


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-02-05 18:14:43 UTC (rev 39486)
+++ data/CVE/list	2016-02-05 18:38:31 UTC (rev 39487)
@@ -56,20 +56,22 @@
 	- asterisk <unfixed>
 	NOTE: http://downloads.asterisk.org/pub/security/AST-2016-003.html
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-25603
-	NOTE: all versions down to 1.8 (wheezy) are vulnerable
-	TODO: see if squeeze (1.6) is vulnerable
+	NOTE: issue was introduced in 2006 with commit 0f5e4e47, so squeeze and previous also vulnerable
+	NOTE: patch for 11 / jessie: https://code.asterisk.org/code/changelog/asterisk?cs=da2573a3779425654543d6ac4c4dd6871ce16720
+	NOTE: all versions vulnerable, backport required for wheezy and squeeze-LTS
 CVE-2016-XXXX [AST-2016-002: File descriptor exhaustion in chan_sip]
 	- asterisk <unfixed>
 	NOTE: http://downloads.asterisk.org/pub/security/AST-2016-002.html
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-25397
-	NOTE: all versions down to 1.8 (wheezy) are vulnerable
-	TODO: see if squeeze (1.6) is vulnerable
+	NOTE: issue introduced in ~2008 with the SIP timer support implementation (https://issues.asterisk.org/jira/browse/ASTERISK-4257 https://issues.asterisk.org/jira/browse/ASTERISK-5187), so squeeze also vulnerable
+	NOTE: patch for jessie / 11: https://code.asterisk.org/code/changelog/asterisk?cs=882e85388295eac8eebd0b82e71a9af0a769b41f
+	NOTE: all versions vulnerable, backport required for wheezy and squeeze-LTS
 CVE-2016-XXXX [AST-2016-001: BEAST vulnerability in HTTP server]
 	- asterisk <unfixed>
 	NOTE: http://downloads.digium.com/pub/security/AST-2016-001.html
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24972
-	NOTE: all versions down to 1.8 (wheezy) are vulnerable
-	TODO: see if squeeze (1.6) is vulnerable
+	NOTE: patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4
+	NOTE: all versions vulnerable, backport required for wheezy and squeeze-LTS
 CVE-2016-XXXX [simpleid: passwords are stored as MD5]
 	- simpleid <unfixed> (bug #813611)
 CVE-2016-XXXX [XSS in Horde_Core_VarRenderer_Html]

More information about the Secure-testing-commits mailing list