Need help with asterisk?
Bernhard Schmidt
berni at debian.org
Tue Oct 11 13:50:01 UTC 2016
On Tue, Oct 11, 2016 at 01:31:58PM +0200, Tzafrir Cohen wrote:
Hi Tzafrir,
> > > 9f8ffea Add a placeholder conf in manager.c (#776080)
> > >
> > > Not security, but a trivial and important bug-fix. I recommend to
> > > include it.
> >
> > I don't think we can get that into a security release (touching /etc
> > nevertheless). When the DSA is out I'll have a look at a fix for the
> > next point release.
>
> I'm well aware of the impart of changing /etc. Thus it creates a new
> file under /etc . This fixes a horny issue in the default configuration
> that is all too easy to miss (until you edit manager.conf and see that
> changes are not applied, and you see that odd error).
>
> It's a low impact one, as it adds no configuration of its own. So while
> not a security fix, it is, IMHO, a good candidate for a low-risk bug fix
> that may piggy-back a new security release.
I have asked the security team and they are fine with it as long as a
stable release manager acks it. I have filed Bug#840426 for this.
> What exactly do you plan to include in the DSA?
The current patch includes
asterisk (1:11.13.1~dfsg-2+deb8u1) jessie-security; urgency=high
* AST-2015-003: Fix TLS Certificate Common name NULL byte exploit
(CVE-2015-3008) (Closes: #782411)
* AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389)
* AST-2016-002: File descriptor exhaustion in chan_sip (CVE-2016-2316)
* AST-2016-003: Fix crash in UDPTL (CVE-2016-2232)
* AST-2016-007: Fix RTP Resource Exhaustion (CVE-2016-7551) (Closes:
#838832)
-- Bernhard Schmidt <berni at debian.org> Tue, 11 Oct 2016 11:59:50 +0200
Those are all listed on
https://security-tracker.debian.org/tracker/source-package/asterisk
Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20161011/998e7834/attachment.sig>
More information about the Pkg-voip-maintainers
mailing list