Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability

Faidon Liambotis paravoid at debian.org
Sun Dec 6 18:48:33 UTC 2009


Moritz, hi,

Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> 
> http://downloads.asterisk.org/pub/security/AST-2009-010.html
Thanks! Fix just uploaded to sid; urgency high but likely to be blocked
by the uw-imap transition.

Due to the severity of the vulnerability, it is my opinion that this
should be fixed in lenny via the security queue. The advisory should
also announce the EoL of asterisk in etch (also affected), as previously
agreed.

We have several fixes accumulated for an upcoming spu upload, including
but not limited to several CVEs that we have agreed before to not handle
them through the security queue due to their low severity.

For more information, you can have a look at the changelog[1] as
prepared in pkg-voip's SVN.

Would you like me to include some of these security fixes to the
security upload as well? Or should I just go and do an upload containing
only the fix for CVE-2009-4055 and handle the rest in spu as originally
intented?

Thanks,
Faidon

1:
http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/changelog





More information about the Pkg-voip-maintainers mailing list