Bug#435521: closed by Mark Purcell <msp at debian.org> (Re: Asterisk SIP DOS Vulnerability)

[Mark Purcell]

On Wed, 8 Aug 2007, Lionel Elie Mamane wrote:
> Yes, but we should still fix that in stable, not only unstable.

Yes I wasn't suggesting that we don't fix it in stable, but rather that a
fix was available and had been uploaded to Debian (unstable).  The BTS
supports version tracking and even though the bug maybe closed, these 
security issues are still listed as open for asterisk in etch.

Of course if we have a way of testing the fix in unstable is is valid 
that's even better.

Of course fixing the plethora of security fixes against asterisk 1.2 is an
issue and a fair amount of work.  Whilst digium continues to provide supported 
releases of 1.2.x with bug fixes, by rights we should be only taking 
the diff's and applying them to debian stable via the debian security team, which
is a job in itself.

We are maintaining uptodate asterisk 1.2 packages built against stable (etch) via
http://buildserver.net, but that is using the latest asterisk 1.2 upstream 
release and isn't a suitable security fix for upload to stable. (but would be a lot 
less work and would get the fixes into stable v.quickly)

security team. This is an issue, we (pkg-voip) are aware we are well behind the
curve on this, but were wondering if you have any ideas on a way to better manage?

Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070808/07d17fa0/attachment.pgp