El dom, 31-07-2005 a las 16:02 -0700, Steve Langasek escribió: > On Sun, Jul 31, 2005 at 10:48:48PM +0100, Mark Purcell wrote: > > Bug #315532 has been rasied as grave security related bug against > > asterisk-1.0.7, which is included in the released sarge. > > > It refers to a potential overflow in the Asterisk Manager Interface, which > > is > > not enabled by default in the Debian asterisk package. In addition the > > Debian asterisk package is not run as root as upstream, but rather as the > > user asterisk with limited privs. > > An exploit that results in escalated, non-root privileges is a grave bug (as > opposed to a root escalation bug, which is critical). > > > It has been pointed out that a user of the manager interface can execute > > arbitary commands anyway, so the potential for additional privs is again > > limited even in the case that the manager interface is enabled and > > exploited. > > But a *limited* potential for privilege escalation is still a potential for > privilege escalation. If this bug can lead to privilege escalation in a > normal use case for the package, then this ought to be treated as a security > bug. > > > My query is does this warrant an release from the security team of the > > relevant asterisk package? The patch is included against the bug report. > > If the patch is included in the bug report, why would we *not* want the > security team to issue a DSA for it? >
I agree, I don't see a reason why the security team doesn't take care of this. regards, -- Santiago Ruano Rincón Grupo GNU/Linux de la Universidad del Cauca Huella digital llave GPG: 3821 4FB5 774A 611D 31E4 B268 414B 8423 6FEC CDE0
signature.asc
Description: Esta parte del mensaje está firmada digitalmente
