Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack

Moritz Muehlenhoff jmm at inutil.org
Mon Oct 5 22:05:41 UTC 2009


On Mon, Oct 05, 2009 at 03:02:55PM +0300, Faidon Liambotis wrote:
> Moritz Muehlenhoff wrote:
> >> You are right that we should do an update for a point release of lenny
> >> though to address a minor information disclosure vulnerability[1], plus
> >> some other non-security related bugs. However, I'd like to avoid
> >> upgrading to a newer 1.4.x release but backport changes instead; we used
> >> to heavily patch our sources and changing the upstream release is prone
> >> to errors.
> > 
> > Fine with me.
> OK, will do soon.
> 
> >> As for etch, the current version should be affected by multiple
> >> vulnerabilities (information disclosure *and* remote DoS) and I'm
> >> currently unable to properly take care of them and test it. Unless a
> >> comaintainer steps up (please people, do!) I'd more inclined to suggest
> >> a premature end of security support (are there precedents for this?)
> > 
> > We can do that, yes. The are some precedents, like rails or Mozilla.

> Hm, OK, I'll let you know in a few days.
> I guess an e-mail to security at d.o would be sufficient?

We can announce the EOL for Etch when the next Asterisk DSA appears for Lenny,
but feel free to post to debian-securityl.d.o earlier.

Cheers,
        Moritz





More information about the Pkg-voip-maintainers mailing list