Asterisk: multiple vulnerabilities

Faidon Liambotis paravoid at debian.org
Thu Aug 16 05:16:43 UTC 2007


Hello,

I'm a member of the Debian VoIP packages team and I have prepared a
security update for Asterisk for stable that fixes CVE-2007-1594,
CVE-2007-2294, CVE-2007-3762, CVE-2007-3763 and CVE-2007-3764.

Attached you will find the diff -- it's a bit messy due to the use of
dpatch but once applied it's pretty straightforward.
This is from asterisk/branches/etch on our SVN repository[1].

I've successfully built this in a clean etch chroot and debdiff'ed them
with the ones in etch without anomalies.

I'm requesting permission to upload to SecurityUploadQueue.

I guess you will be writing the DSAs;
http://ftp.digium.com/pub/asa/ASA-2007-011.html (etc.) could help you
fill the necessary information.

unstable has moved to a major new upstream version and the current
version in unstable (1.4.10) is not affected by these vulnerabilities.

testing OTOH has the same version as stable and *is* affected.
Updating via testing-security is a bit of a problem however since
changes since the release of etch made the package FTBFS.

Is there a way to push the etch binaries to testing as-is?
It's a bit of a policy violation but could help our users until all of
the RC bugs of the unstable version get resolved.

Thanks,
Faidon

1: svn://svn.debian.org/pkg-voip/asterisk/branches/etch
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asterisk-1.2.13~dfsg-2etch1.diff
Url: http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070816/b37b92cb/attachment.txt 


More information about the Pkg-voip-maintainers mailing list