Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability

Moritz Muehlenhoff jmm at inutil.org
Sun Dec 6 21:04:07 UTC 2009


On Sun, Dec 06, 2009 at 08:48:33PM +0200, Faidon Liambotis wrote:
> Moritz, hi,
> 
> Moritz Muehlenhoff wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> > 
> > http://downloads.asterisk.org/pub/security/AST-2009-010.html
> Thanks! Fix just uploaded to sid; urgency high but likely to be blocked
> by the uw-imap transition.
> 
> Due to the severity of the vulnerability, it is my opinion that this
> should be fixed in lenny via the security queue. The advisory should
> also announce the EoL of asterisk in etch (also affected), as previously
> agreed.
> 
> We have several fixes accumulated for an upcoming spu upload, including
> but not limited to several CVEs that we have agreed before to not handle
> them through the security queue due to their low severity.
> 
> For more information, you can have a look at the changelog[1] as
> prepared in pkg-voip's SVN.
> 
> Would you like me to include some of these security fixes to the
> security upload as well? Or should I just go and do an upload containing
> only the fix for CVE-2009-4055 and handle the rest in spu as originally
> intented?

If we're issuing a DSA we should include the minor fixes originally targeted
for a spu update.

Unfortunately someone else will need to process this update, I'm currently
quite busy.

Cheers,
        Moritz





More information about the Pkg-voip-maintainers mailing list