Bug#666944: [Secure-testing-team] Bug#666944: asterisk: Buffer overflow vulnerability
Jonathan Wiltshire
jmw at debian.org
Mon Apr 2 21:50:07 UTC 2012
On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote:
> Package: asterisk
> Version: 1:1.6.2.9-2+squeeze4
> Severity: grave
> Tags: security squeeze
> Justification: user security hole
>
> Per:
>
> http://downloads.asterisk.org/pub/security/AST-2012-002.txt
>
> the asterisk in squeeze is vulnerable to a buffer overflow.
Security team: the tracker says not-affected (Vulnerable code not present);
this seems not to be the case but the default configuration protects from
this vulnerability. I will take it on as a no-dsa if you wish.
John: on that basis, do you agree the severity should be reduced (probably
to important)?
> The package in testing may also be vulnerable to:
>
> http://downloads.asterisk.org/pub/security/AST-2012-003.txt
Currently it is. I have suggested to the release team that they age the
version in sid to get the fix into testing.
--
Jonathan Wiltshire jmw at debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20120402/f707d524/attachment.pgp>
More information about the Pkg-voip-maintainers
mailing list