question about astrisk in testing

Mark Purcell msp at debian.org
Fri May 11 17:26:43 UTC 2007 

On Fri, 11 May 2007, you wrote:
> Let me ask about it before opening a grave security bug in BTS: how
> voip team does handle recent security vulnerabilities (apr, may) in
> stable and testing trees? As far as I see they all were fixed in
> unstable by using 1.4.xx but I see no fix for 1.2.xx. Some of those
> looks pretty troubling, and seems to be fixed only in very recent
> 1.2.xx releases, which Debian seem to lack.

Hi Peter,

Thanks for the question.

> Is 1.4.xx stable enough for serious use, what do you think?

Let me answer your last question first...

1.4.xxx is more than stable for serious use and in many places that's where
fixes are going to be applied first..

If you have a look at something like:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=420865

You will see from the picture on the right hand side that we are tracking which versions
effect which bugs. So you are correct that there are some issues which have been resolved
by the upload of 1.4 to unstable, but still remain in testing.

The main path for upgrades to make it into testing are via the normal tranistion process, 
and the reason for asterisk waiting are detailed at:
http://bjorn.haxx.se/debian/testing.pl?package=asterisk

Upgrades to stable packages are mainly backports only by the security team.

Generally the security team will take the specific patch which addresses a 
security issue and apply it to the version in etch.  Thus etch will remain with
asterisk 1.2.13 even though upstream have moved to 1.2.18 which mainly address
security issues.

The other factor is the severity of the problems.  DoS upgrades generally will
get picked up by the security team, but in slower time.  That said the pkg-voip team
can always submit early backported patches for early consideration, but we 
are driving towards getting 1.4.xx in a reasonable state for use.

We have started copying the Asterisk Security Advisories to the BTS so people can view which
issues are extant prior to installing a package from a certain version.  If you are aware of
security issues, then please do post to the BTS.  But be aware the fixes for bugs will generally
be via unstable, rather than updates to stable, unless it is a bad security bug..

The other factor is we need to get ontop of the BTS, we have a lot of upstream bugs there
hanging around and there are a few other issues we could work on better.
You can always help by working through some of our bugs and either confirming or providing work around/
forwarding upstream or just even noting which version of packages are effected by which bugs.

Hope this helps.

Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070511/63d59aee/attachment.pgp

More information about the Pkg-voip-maintainers mailing list