Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Moritz Muehlenhoff
jmm at inutil.org
Sun Oct 4 19:25:00 UTC 2009
Sorry for the late followup, I've been on vacation.
On Wed, Sep 16, 2009 at 11:21:39PM +0300, Faidon Liambotis wrote:
> Hi,
>
> Moritz Muehlenhoff wrote:
> > Asterisk maintainers, what should be done about stable? Would it
> > make sense to update the stable version to 1.4.26.2 in a point update?
> > (IIRC there's still a performance regression affecting Lenny from
> > a previous security update?)
> This particular vulnerability does not affect lenny/1.4.
>
> There hasn't been a security update for lenny yet, perhaps you're
> thinking etch?
Yes, I seem to have confused this.
> You are right that we should do an update for a point release of lenny
> though to address a minor information disclosure vulnerability[1], plus
> some other non-security related bugs. However, I'd like to avoid
> upgrading to a newer 1.4.x release but backport changes instead; we used
> to heavily patch our sources and changing the upstream release is prone
> to errors.
Fine with me.
> As for etch, the current version should be affected by multiple
> vulnerabilities (information disclosure *and* remote DoS) and I'm
> currently unable to properly take care of them and test it. Unless a
> comaintainer steps up (please people, do!) I'd more inclined to suggest
> a premature end of security support (are there precedents for this?)
We can do that, yes. The are some precedents, like rails or Mozilla.
Cheers,
Moritz
More information about the Pkg-voip-maintainers
mailing list