Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 5 13:24:29 UTC 2013
Hi Tzafrir
On Fri, Mar 29, 2013 at 06:53:31AM +0100, Salvatore Bonaccorso wrote:
> Hi Tzafrir
>
> On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> > On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security patch upstream
> > >
> > > Hi,
> > >
> > > the following vulnerabilities were published for asterisk.
> > >
> > > CVE-2013-2685[0]:
> > > Buffer Overflow Exploit Through SIP SDP Header
> > >
> > > CVE-2013-2686[1]:
> > > Denial of Service in HTTP server
> > >
> > > CVE-2013-2264[2]:
> > > Username disclosure in SIP channel driver
> > >
> > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > > doublecheck that squeeze, testing and wheezy are not affected?
> >
> > According to the Upstream advisories, both are in effect for 1.8 .
> > Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> > 1.6.2 in Stable.
>
> Thank you for confirming! (note my above comment was related only to
> one of the issues, CVE-2013-2685).
>
> Could you prepare updates to be included via unstable in wheezy?
Ping? Did you had a chance to look at it already?
Thanks a lot, and
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list