Bug#680470: Two security issues: AST-2012-010 / AST-2012-011
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Fri Aug 31 13:23:44 UTC 2012
On Fri, Aug 31, 2012 at 12:14:05PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Aug 30, 2012 at 07:43:21PM +0300, Tzafrir Cohen wrote:
> > On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote:
> > > On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
> > > > http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)
Regarding AST-2011-011 and Squeeze:
It appears to be the result of wrong fixes for a memory leak (see commit
message below). I have not tries to apply the original memory leak fix
(r354889 is the one on branch 1.8) or a proper version of it on the the
version in Squeeze. Note that memory leak fixes normally don't get an
advisory and there are quite a few of them in the 1.8 branch so I'm not
sure I would bother just for this one.
Short version: technically does not apply.
> > > >
> > > > 1.6 is not mentioned in the "Affected versions", but I haven't validated whether
> > > > because it's no longer supported/tracked upstream or because the issues
> > > > are not present. Can you double-check?
> > > >
> > > > For sid/wheezy, please remember that we're in freeze and only isolated fixes
> > > > are to be made instead of updating to a new full upstream release.
> > > >
> > > > Once you've uploaded, please send an unblock request by filing a bug against
> > > > the release.debian.org pseudo package.
> > >
> > > What's the status? This is marked pending for nearly two months now!
> >
> > For some reason I had the impression we had 1.8.13.1 packaged.
> >
> > I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the
> > fixes for those two issues:
> >
> > http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log
> >
> > For the record, they were fixed in the branch in:
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=369652
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=369436
> >
> > Note, however, that today we had the following commits:
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=372015
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=371998
> >
> > So this is juas a good a timing as any for a new package.
>
> Two new issues have been announced, we should incorporate these:
>
> CVE-2012-2186:
> http://downloads.digium.com/pub/security/AST-2012-012.html
Note the wording. Issue is not compltely mitigated. There are still
methods of sneaking in unwanted functionality (e.g. through setting
Asterisk environment variables).
>
> CVE-2012-4737:
> http://downloads.digium.com/pub/security/AST-2012-013.html
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list