Bug#680470: Two security issues: AST-2012-010 / AST-2012-011
Moritz Muehlenhoff
jmm at inutil.org
Fri Aug 31 13:32:19 UTC 2012
On Fri, Aug 31, 2012 at 04:23:44PM +0300, Tzafrir Cohen wrote:
> Regarding AST-2011-011 and Squeeze:
>
> It appears to be the result of wrong fixes for a memory leak (see commit
> message below). I have not tries to apply the original memory leak fix
> (r354889 is the one on branch 1.8) or a proper version of it on the the
> version in Squeeze. Note that memory leak fixes normally don't get an
> advisory and there are quite a few of them in the 1.8 branch so I'm not
> sure I would bother just for this one.
>
> Short version: technically does not apply.
I've updated the Debian Security Tracker.
> > CVE-2012-2186:
> > http://downloads.digium.com/pub/security/AST-2012-012.html
>
> Note the wording. Issue is not compltely mitigated. There are still
> methods of sneaking in unwanted functionality (e.g. through setting
> Asterisk environment variables).
Yes, I think the correct "fix" here is to point to he updated
best practice documentation by upstream.
Cheers,
Moritz
More information about the Pkg-voip-maintainers
mailing list