Asterisk: multiple vulnerabilities

Faidon Liambotis paravoid at debian.org
Tue Aug 21 03:31:49 UTC 2007


Hello,
Sorry for being late, real life issues and a load of Asterisk bugs in
unstable kept me busy.

I made updates to the security version I mentioned before.
Attached is the diff; this version can also be found on pkg-voip's SVN[1].

Moritz Muehlenhoff wrote:
>> I'm a member of the Debian VoIP packages team and I have prepared a
>> security update for Asterisk for stable that fixes CVE-2007-1594,
>> CVE-2007-2294, CVE-2007-3762, CVE-2007-3763 and CVE-2007-3764.
> 
> Good, it's nice to see progress on asterisk.
> 
> There are further issues in Etch:
> CVE-2007-2297
Duplicate of CVE-2007-1594 but marked in the changelog anyway.
If you look at the CVE, they both reference #9313 in Digium's BTS.

> CVE-2007-1306
> CVE-2007-1561
Fixed.

> CVE-2007-1595
Only affecting Asterisk 1.4; already fixed in unstable and not affecting
stable and testing.

> CVE-2007-2488
Fixed.

> CVE-2007-4103
As said before, this is ASA-2007-018.
The advisory mentions that it only affects 1.2.20, 1.2.21, 1.2.21.1,
1.2.22 and the diff does not apply.
stable/testing have 1.2.13 and hence they are not affected.

I checked Skolelinux and Ubuntu's security updates.
This version is a superset of both, i.e. it is fixing more
vulnerabilities than both of them.

On the unstable/testing front, I did fix our RC bug and pushed some
other changes that were needed when updating from testing.
I am going to upload a version that should be OK to migrate to testing
pretty soon, i.e. 1-2 days.
However, since this is going to be a new upstream too (security
vulnerability among other things), priority will stay low.

I think we should update etch for now and see about lenny in ~2-weeks.

Do you want me to upload to SecurityUploadQueue or are you going to?

What about the DSA? Can I help you write it? Moritz was explaining how
to write a DSA in Edinburgh but I wasn't listening carefully enough :-)

Regards,
Faidon

1: svn://svn.debian.org/pkg-voip/asterisk/branches/etch
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: security-v2.diff
Url: http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070821/82b04136/attachment-0001.txt 


More information about the Pkg-voip-maintainers mailing list