Asterisk: multiple vulnerabilities
Faidon Liambotis
paravoid at debian.org
Wed Aug 22 19:11:00 UTC 2007
Moritz Muehlenhoff wrote:
>>> There are further issues in Etch:
>>> CVE-2007-2297
>> Duplicate of CVE-2007-1594 but marked in the changelog anyway.
>> If you look at the CVE, they both reference #9313 in Digium's BTS.
>
> I've contacted MITRE for confirmation, so that they can fix their
> database.
It is quite obvious so they'll probably fix it soon.
>> Do you want me to upload to SecurityUploadQueue or are you going to?
>> What about the DSA? Can I help you write it? Moritz was explaining how
>> to write a DSA in Edinburgh but I wasn't listening carefully enough :-)
>
> Updates looks fine, please upload. I'll take care of the rest.
OK, thanks.
FWIW, Asterisk 1.2 got in deep freeze, which means that will only get
security fixes from now on. That should make our lifes easier since I
won't have to hand-pick the patches.
> What do you do about Sarge?
Hmm, that's a good question.
sarge is at 1.0 so the job would be substantially harder.
Some of these issues won't probably apply to such an old version.
I promise I'll take a look however and get back to you.
BTW, I just uploaded 1.4.11 to unstable (which closes CVE-2007-4455
among other fixes -- does not affect etch).
We're aiming to push this to lenny by the end of the 10-day period, if
no new RC bugs come up.
Thanks,
Faidon
More information about the Pkg-voip-maintainers
mailing list