Asterisk: multiple vulnerabilities

Steffen Joeris steffen.joeris at skolelinux.de
Sat Aug 18 02:15:15 UTC 2007 

Hi

> > CVE-2007-4103
>
> This (ASA-2007-018) doesn't apply to etch. It's a fix for a
> vulnerability that was introduced by a newer version than what we have
> in etch.
> That being said, the reason this was introduced was to fix a bug that
> may or may not have security implications -- I don't think there was an
> ASA or CVE for that but I may be wrong.
>
> I'll definitely have a look but this seems more complicated and fragile
> and will need more testing, so I'd say that we should initially exclude
> this.
>
> > Steffen Joeris started working on an update, please coordinate your
> > efforts, I'm Ccing him.
> > http://developer.skolelinux.no/~white/debs/security/etch/asterisk/
>
> I became aware of his efforts after I sent you the email.
> Stefan Fritsch (a DD, but not a pkg-voip member) sent an email to
> pkg-voip pointing us to Steffen's efforts but I was not a member of the
> team at that point.
>
> AFAIK, we've never heard from Steffen; Steffen, I think we should
> coordinate a bit on this one, feel free to contact the list or me
> personally.
It got a bit unorganized, which was my fault as well, apologize for not 
informing you guys properly. Please have a look at the package for etch I 
prepared and see, if you can incorporate your changes into them or the other 
way around. I did not get many test reports so far, except one.
The package mainly incorporates the security version from Suse. There are also 
other CVEs, but the code is either not present in the debian version, or only 
experimental, or there were other issues.

> > Steffen also prepared a testing-security upload.
>
> Stefan's mail claimed that there quite a few of missing modules from
> Steffen's package regarding to the current one (including the one due to
> the missing dependency I fixed and you read about it in the changelog).
> Plus, building with the current testing will certainly need some
> extensive changes as it currently FTBFS.
>
> So, again, if there is a way to upload etch's packages to testing (which
> is what we have now after all) -ignoring the fact that it will FTBFS in
> the testing suite, since this is a temporary measure- I think we should
> go for it, IMHO.
As you know the build-dep on libzapp-dev is missing. How do you want to build 
the package on all the buildds? Uploading a package to -testing-security, 
which will FTBFS is not an option. 
If we could get it to build the same modules without FTBFS though, we could 
upload a version to testing-security.

Cheers
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070818/a9c4c30a/attachment.pgp

More information about the Pkg-voip-maintainers mailing list