Asterisk: multiple vulnerabilities
Moritz Muehlenhoff
jmm at inutil.org
Fri Aug 17 20:42:32 UTC 2007
Faidon Liambotis wrote:
> I'm a member of the Debian VoIP packages team and I have prepared a
> security update for Asterisk for stable that fixes CVE-2007-1594,
> CVE-2007-2294, CVE-2007-3762, CVE-2007-3763 and CVE-2007-3764.
Good, it's nice to see progress on asterisk.
There are further issues in Etch:
CVE-2007-2297
CVE-2007-1306
CVE-2007-1561
CVE-2007-1595
CVE-2007-2488
CVE-2007-4103
Steffen Joeris started working on an update, please coordinate your
efforts, I'm Ccing him.
http://developer.skolelinux.no/~white/debs/security/etch/asterisk/
> Attached you will find the diff -- it's a bit messy due to the use of
> dpatch but once applied it's pretty straightforward.
> This is from asterisk/branches/etch on our SVN repository[1].
>
> I've successfully built this in a clean etch chroot and debdiff'ed them
> with the ones in etch without anomalies.
>
> I'm requesting permission to upload to SecurityUploadQueue.
Most important: Has it been tested? (We can't test a VOIP PBOX solution)
> I guess you will be writing the DSAs;
> http://ftp.digium.com/pub/asa/ASA-2007-011.html (etc.) could help you
> fill the necessary information.
>
> unstable has moved to a major new upstream version and the current
> version in unstable (1.4.10) is not affected by these vulnerabilities.
>
> testing OTOH has the same version as stable and *is* affected.
> Updating via testing-security is a bit of a problem however since
> changes since the release of etch made the package FTBFS.
>
> Is there a way to push the etch binaries to testing as-is?
> It's a bit of a policy violation but could help our users until all of
> the RC bugs of the unstable version get resolved.
Steffen also prepared a testing-security upload.
Cheers,
Moritz
More information about the Pkg-voip-maintainers
mailing list