Bug#435521: closed by Mark Purcell <msp at debian.org> (Re: Asterisk SIP DOS Vulnerability)

Faidon Liambotis paravoid at debian.org
Sat Aug 18 12:05:07 UTC 2007


Martin Schulze wrote:
> Faidon Liambotis wrote:
>> Granted, we have a very very bad record as maintainers of supporting
>> this security-wise but I think we can try to change that. I certainly
>> will try my best to provide you with patched versions to upload.
>> I haven't discuss this with the rest of the team yet but I think they
>> are willing of helping with this.
> 
> The main problem is that Asterisk is team maintained and nobody in
> the team (except you at the moment) seems to care about a save version
> of asterisk in stable and oldstable.  The security team itself is not
> able to support the package on its own and thus has to depend on the
> respective maintainers.
Right. FWIW, you can count on me for security updates, even if the rest
of the team doesn't change their minds wrt security fixes.

Since you have no previous grounds to trust me on this though, I'd
propose to postpone this discussion closer to the release of lenny so
you can have some hard facts regarding my (our?) responsiveness or
carelessness.

Is that acceptable to you (you being security@)?

>> I don't think that it serves our users to not provide security support
>> for asterisk, especially considering its popularity.
> 
> The question is what is better:
> 
>  . stale version of Asterisk with local and remote vulnerabilities
>    in Debian stable, OR
> 
>  . no version of Asterisk in Debian stable at all
> 
> Moritz preference is the second.
If it comes to that, I definitely agree with this.

Regards,
Faidon




More information about the Pkg-voip-maintainers mailing list