Hi, Moritz Muehlenhoff wrote: > Asterisk maintainers, what should be done about stable? Would it > make sense to update the stable version to 1.4.26.2 in a point update? > (IIRC there's still a performance regression affecting Lenny from > a previous security update?) This particular vulnerability does not affect lenny/1.4.
There hasn't been a security update for lenny yet, perhaps you're thinking etch? You are right that we should do an update for a point release of lenny though to address a minor information disclosure vulnerability[1], plus some other non-security related bugs. However, I'd like to avoid upgrading to a newer 1.4.x release but backport changes instead; we used to heavily patch our sources and changing the upstream release is prone to errors. As for etch, the current version should be affected by multiple vulnerabilities (information disclosure *and* remote DoS) and I'm currently unable to properly take care of them and test it. Unless a comaintainer steps up (please people, do!) I'd more inclined to suggest a premature end of security support (are there precedents for this?) Thanks, Faidon 1: http://downloads.asterisk.org/pub/security/AST-2009-001.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
