Your message dated Wed, 29 Aug 2007 09:47:07 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#438419: fixed in wengophone 2.1.1.dfsg0-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: wengophone
Version: 2.1.1.dfsg0-2
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>From CVE-2007-4366:
"A message validation check flaw in WengoPhone SIP phone implementation
may allow a remote attacker to crash the phone causing denial of
service.
The vulnerability occurs as a result of how the SIP client component
handles an incorrectly sip packet. Method of INVITE or MESSAGE will be
ok. MESSAGE is a sip method for Instant Messaging.
After WengoPhone receive a malformed packet without "Content-Type"
field, we call "Missing Content-Type Vulnerability", it will be crash."
It looks like openwengo project hasn't yet released a patch, but they're
working on it:
http://dev.openwengo.com/pipermail/wengophone-devel/2007-August/006412.html
Please mention the CVE id in the changelog.
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGxKZcRqobajv7n7MRAkO8AJ9zpolqcRPxmD7N3Wumf8/F0AV+QwCfTFTf
AS9qhid+NeVCYLf3kfvlRSo=
=Y4dg
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: wengophone
Source-Version: 2.1.1.dfsg0-3
We believe that the bug you reported is fixed in the latest version of
wengophone, which is due to be installed in the Debian FTP archive:
wengophone-dbg_2.1.1.dfsg0-3_i386.deb
to pool/main/w/wengophone/wengophone-dbg_2.1.1.dfsg0-3_i386.deb
wengophone_2.1.1.dfsg0-3.diff.gz
to pool/main/w/wengophone/wengophone_2.1.1.dfsg0-3.diff.gz
wengophone_2.1.1.dfsg0-3.dsc
to pool/main/w/wengophone/wengophone_2.1.1.dfsg0-3.dsc
wengophone_2.1.1.dfsg0-3_i386.deb
to pool/main/w/wengophone/wengophone_2.1.1.dfsg0-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marco Nenciarini <[EMAIL PROTECTED]> (supplier of updated wengophone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 29 Aug 2007 09:53:50 +0200
Source: wengophone
Binary: wengophone-dbg wengophone
Architecture: source i386
Version: 2.1.1.dfsg0-3
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <[EMAIL PROTECTED]>
Changed-By: Marco Nenciarini <[EMAIL PROTECTED]>
Description:
wengophone - SIP-based software telephone with video and chat features
wengophone-dbg - SIP-based software telephone with video and chat features
Closes: 434389 435747 438419
Changes:
wengophone (2.1.1.dfsg0-3) unstable; urgency=low
.
[ Marco Nenciarini ]
* debian/control: Priority of wengophone-dbg changed to extra
to match the overrides file
* debian/control: Changed maintainer to Debian VoIP Team.
* debian/control: Added myself as uploader.
.
[ Kilian Krause ]
* Add dpkg-dev (>= 1.13.19) to Build-Depends for binary:Version
.
[ Ludovico Cavedon ]
* Added patch head/alsa-plughw-default.patch to enable selection of
additional
sound cards. Closes: #435747
* Added patch generic/phapi-fix-empty-ctype-dos.patch to prevent crash on
messages with no Content-Type. Closes: #438419
* Moved menu item to Applications/Network/Communication to conform to new
Debian Policy (lintian warning menu-item-uses-apps-section)
* Added patch def-enable-video-fix.patch to make PHAPI_VIDEO_SUPPORT=OFF work
* Disabled video support for sid, as mpeg-based video codecs have been
removed
from ffmpeg. Closes: #434389
* Added desktop-file-update.patch to remove deprecated "Encoding" line
(lintian info desktop-entry-contains-encoding-key)
* Modified qobjectthreadsafe-fix-qt42.patch to initialize _blockEvents
before calling moveToThread()
* Added patch curl-openssl-mt-fix.patch to fix some crashes inside cURL lib:
- initialize cURL before stating threads
- set CURLOPT_NOSIGNAL to 1, as specified in cURL doc
- initialize openssl with locking callbacks for multi-thread applications
Files:
14fbcd0ed1310f4aac950a14cb9ce9a1 1520 net optional wengophone_2.1.1.dfsg0-3.dsc
4845a1882518a607e4b8fac528f2c11e 17568 net optional
wengophone_2.1.1.dfsg0-3.diff.gz
7a020e09e272d657a59975ef8f6d492a 7075468 net optional
wengophone_2.1.1.dfsg0-3_i386.deb
61d39296ab58d04775e6d1914d83dee8 30098358 net extra
wengophone-dbg_2.1.1.dfsg0-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1TEdaGRzDfCV5eQRAnLJAJ9wWdsuaN8a0WvkYerQIfyecomC2ACgihbB
n/7qNjOqaJsbES5i+OWanaQ=
=rozk
-----END PGP SIGNATURE-----
--- End Message ---
