Need help with asterisk?

Bernhard Schmidt berni at debian.org
Tue Oct 11 11:11:21 UTC 2016 

On Tue, Oct 11, 2016 at 01:46:13PM +0300, Tzafrir Cohen wrote:

Hi Tzafrir,

> On Tue, Oct 11, 2016 at 10:35:38AM +0200, Bernhard Schmidt wrote:
> > On Sat, Oct 08, 2016 at 09:21:47PM +0200, Bernhard Schmidt wrote:
> > 
> > > > Best would be if you can try look into squashing security-related bugs 
> > > > in stable and oldstable.  Or I could could prepare that and you can take 
> > > > the dialogue with the release team to get permission for releasing it.
> > > 
> > > I'll have a look at the one open security issue in stable, maybe I can
> > > wrap something up that fixes AST-2016-007. Never dealt with the security
> > > team either.
> > 
> > I'm in contact with the security team and we should have a DSA pretty
> > soon. The only question now is how to deal with the git repo. The jessie
> > branch
> > (https://anonscm.debian.org/cgit/pkg-voip/asterisk.git/log/?h=jessie)
> > has unreleased changes that won't be eligible for security.
> 
> The fixes there:
> 
> 61d451d (origin/jessie) feed changelog
> 
>   Probably worth reverting.
> 
> 
> db637ff add fix for ASTERISK-24711 (enable DTLS read ahead)
> 
>   A bug fix, indeed.

Is this still necessary (I never ran WebRTC)?
https://issues.asterisk.org/jira/browse/ASTERISK-24711 points to
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775502 in openssl,
fixed in jessie.

> 467993f (jessie) AST-2015-002 CURL() HTTP request injection issues
> 
>   Security fix. Still needs to be verified.

I think we can drop it for easyness, as the description says

| Since Asterisk may be configured to allow for user-supplied URLs to be
| passed to libcURL, it is possible that an attacker could use Asterisk as
| an attack vector to inject unauthorized HTTP requests if the version of
| libcURL installed on the Asterisk server is affected by CVE-2014-8150.

CVE-2014-8150 is fixed in all Debian versions of libcurl

https://security-tracker.debian.org/tracker/CVE-2014-8150

> 9f8ffea Add a placeholder conf in manager.c (#776080)
> 
>   Not security, but a trivial and important bug-fix. I recommend to
>   include it.

I don't think we can get that into a security release (touching /etc
nevertheless). When the DSA is out I'll have a look at a fix for the
next point release.

> > How should I deal with this?
> > 
> > - revert the patches in the jessie branch and put the security patches
> >   on top
> > - add a jessie-security branch
> > - force-push the jessie branch to an older commit
> > 
> > I think the last option would break everyones clone, so that's a no-go.
> > I'm leaning to option #1. Any opinion?
> 
> I prefer it as well.

Thanks. As soon as I got the ack from the security team I'll upload the
changes.

Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20161011/7a125f57/attachment-0001.sig>

More information about the Pkg-voip-maintainers mailing list