Bug#554486: New asterisk vulnerabilities

Moritz Muehlenhoff jmm at inutil.org
Sat Nov 7 17:15:55 UTC 2009


On Wed, Nov 04, 2009 at 11:09:48PM +0200, Faidon Liambotis wrote:
> Security Team, hi,
> 
> Two new asterisk vulnerabilities were announced today, affecting lenny
> and unstable; the first one affects also etch.
> 
> http://downloads.asterisk.org/pub/security/AST-2009-008.html
> http://downloads.asterisk.org/pub/security/AST-2009-009.html
> 
> No CVE numbers yet.

AST-2009-008 is CVE-2009-3727, the ID for AST-2009-008 in the advisory
is wrong/duped.

> These are tracked in Debian BTS as #554487 and #554486, respectively.
> 
> My opinion is that these are relatively minor. My plan is:
> - for lenny, fixing them in an s-p-u upload (along with some other
>   stacked up fixes)
> - for sid, fixing them with the next upload, whenever is that,
> - for etch, not fixing them but announce an EoL of its security support
>   due to other vulnerabilities, as previously agreed with Moritz.
> 
> Let me know if you disagree with any of the above.

Agreed and added to the Security Tracker.

Cheers,
        Moritz





More information about the Pkg-voip-maintainers mailing list