Bug#666944: [Secure-testing-team] Bug#666944: asterisk: Buffer overflow vulnerability

John Goerzen jgoerzen at complete.org
Mon Apr 2 21:58:27 UTC 2012


That is fine with me, Jonathan.  I think you're right that the tracker 
is wrong, but also we aren't shipping vulnerabilities by default.

-- John

On 04/02/2012 04:50 PM, Jonathan Wiltshire wrote:
> On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote:
>> Package: asterisk
>> Version: 1:1.6.2.9-2+squeeze4
>> Severity: grave
>> Tags: security squeeze
>> Justification: user security hole
>>
>> Per:
>>
>> http://downloads.asterisk.org/pub/security/AST-2012-002.txt
>>
>> the asterisk in squeeze is vulnerable to a buffer overflow.
> Security team: the tracker says not-affected (Vulnerable code not present);
> this seems not to be the case but the default configuration protects from
> this vulnerability. I will take it on as a no-dsa if you wish.
>
> John: on that basis, do you agree the severity should be reduced (probably
> to important)?
>
>
>> The package in testing may also be vulnerable to:
>>
>> http://downloads.asterisk.org/pub/security/AST-2012-003.txt
> Currently it is. I have suggested to the release team that they age the
> version in sid to get the fix into testing.
>
>






More information about the Pkg-voip-maintainers mailing list