Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003
Salvatore Bonaccorso
carnil at debian.org
Fri Mar 29 05:53:31 UTC 2013
Hi Tzafrir
On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security patch upstream
> >
> > Hi,
> >
> > the following vulnerabilities were published for asterisk.
> >
> > CVE-2013-2685[0]:
> > Buffer Overflow Exploit Through SIP SDP Header
> >
> > CVE-2013-2686[1]:
> > Denial of Service in HTTP server
> >
> > CVE-2013-2264[2]:
> > Username disclosure in SIP channel driver
> >
> > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > doublecheck that squeeze, testing and wheezy are not affected?
>
> According to the Upstream advisories, both are in effect for 1.8 .
> Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> 1.6.2 in Stable.
Thank you for confirming! (note my above comment was related only to
one of the issues, CVE-2013-2685).
Could you prepare updates to be included via unstable in wheezy?
Thank you for your work!
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list