Bug#435521: closed by Mark Purcell <msp at debian.org> (Re: Asterisk SIP DOS Vulnerability)

[Mark Purcell]

On Sat, 18 Aug 2007, Kilian Krause wrote:
> > Comments?
> 
> If the rest of pkg-voip developers agrees, i'll just put up a pseudo
> RC-bug against asterisk to make sure it's not progressing into testing
> anymore (and therefore not contained in stable release of Lenny and
> newer).

Kilian,

I don't agree with keeping asterisk out of lenny permanently, I think we 
should wait until closer to the lenny release and then make that decision.  
In the event that asterisk 1.4.x is stable and in maintenance fixes upstream,
then I see no reason why it should be excluded from lenny.

Asterisk 1.2.x is a different beast, and etch was released with the current
asterisk 1.2.x then we could maintain, via upstream security releases. But etch
was released with an early asterisk 1.2, and that is what we have to work with.
I can see an argument for asterisk 1.2.x being removed from etch. We need to
either:

1. Continue/ start to backporting security fixes from 1.2.x, or
2. Remove asterisk 1.2.x from etch, and/or
3. Track upstream 1.2.x security releases, via volatile or just direct
our users to pkg-voip.buildserver.net for etch packages.

For lenny, I recommend we get ftp-master to force the removal of 
asterisk 1.2.x, it FTBFS, it has vulnerabilities etc. In the meantime, I 
think it is suitable for asterisk 1.4 to migrate to lenny via unstable 
per the normal rules. As vulnerabilities are discovered we publish the 
fix into unstable and migrate according to the two/five day rules.

Mark

-------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070818/9f990975/attachment-0001.pgp