Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Salvatore Bonaccorso carnil at debian.org
Fri Mar 29 05:53:31 UTC 2013


Hi Tzafrir

On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security patch upstream
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for asterisk.
> > 
> > CVE-2013-2685[0]:
> > Buffer Overflow Exploit Through SIP SDP Header
> > 
> > CVE-2013-2686[1]:
> > Denial of Service in HTTP server
> > 
> > CVE-2013-2264[2]:
> > Username disclosure in SIP channel driver
> > 
> > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > doublecheck that squeeze, testing and wheezy are not affected?
> 
> According to the Upstream advisories, both are in effect for 1.8 .
> Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> 1.6.2 in Stable.

Thank you for confirming! (note my above comment was related only to
one of the issues, CVE-2013-2685).

Could you prepare updates to be included via unstable in wheezy?

Thank you for your work!

Regards,
Salvatore



More information about the Pkg-voip-maintainers mailing list