Your message dated Tue, 5 Jun 2012 11:47:14 +0300
with message-id <20120605084714.gb16...@xorcom.com>
and subject line asterisk_1.8.13.0~dfsg-1_amd64.changes ACCEPTED into unstable
has caused the Debian Bug report #675210,
regarding asterisk: AST-2012-008 (CVE-2012-2948): remote crash issue in
chan_skinny
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
675210: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675210
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: asterisk
Version: 1:1.8.11.1~dfsg-1
Severity: grave
Tags: upstream patch security
Justification: user security hole
When a skinny session is unregistered, the corresponding device pointer
is set to NULL in the channel private data. If the client was not in
the on-hook state at the time the connection was closed, the device
pointer can later be dereferenced if a message or channel event attempts
to use a line's pointer to said device.
The patches prevent this from occurring by checking the line's pointer
in message handlers and channel callbacks that can fire after an
unregistration attempt.
Expliting this requires an established Skinny session, which implies a
configured Skinny (SCCP) device. If you have no idea what this means,
you don't have one.
For Wheezy and Sid, 1.8.12.2 is to be used. For Squeeze, Upstream's
patch has been adapted and is included in the pkg-voip SVN.
-- System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Version: 1:1.8.13.0~dfsg-1
(There has been a typo in the changelog. s/#67521/#675210/. Manually
closing)
Accepted:
asterisk-config_1.8.13.0~dfsg-1_all.deb
to main/a/asterisk/asterisk-config_1.8.13.0~dfsg-1_all.deb
asterisk-dahdi_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-dahdi_1.8.13.0~dfsg-1_amd64.deb
asterisk-dbg_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-dbg_1.8.13.0~dfsg-1_amd64.deb
asterisk-dev_1.8.13.0~dfsg-1_all.deb
to main/a/asterisk/asterisk-dev_1.8.13.0~dfsg-1_all.deb
asterisk-doc_1.8.13.0~dfsg-1_all.deb
to main/a/asterisk/asterisk-doc_1.8.13.0~dfsg-1_all.deb
asterisk-mobile_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-mobile_1.8.13.0~dfsg-1_amd64.deb
asterisk-modules_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-modules_1.8.13.0~dfsg-1_amd64.deb
asterisk-mp3_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-mp3_1.8.13.0~dfsg-1_amd64.deb
asterisk-mysql_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-mysql_1.8.13.0~dfsg-1_amd64.deb
asterisk-ooh323_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-ooh323_1.8.13.0~dfsg-1_amd64.deb
asterisk-voicemail-imapstorage_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-voicemail-imapstorage_1.8.13.0~dfsg-1_amd64.deb
asterisk-voicemail-odbcstorage_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-voicemail-odbcstorage_1.8.13.0~dfsg-1_amd64.deb
asterisk-voicemail_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk-voicemail_1.8.13.0~dfsg-1_amd64.deb
asterisk_1.8.13.0~dfsg-1.debian.tar.gz
to main/a/asterisk/asterisk_1.8.13.0~dfsg-1.debian.tar.gz
asterisk_1.8.13.0~dfsg-1.dsc
to main/a/asterisk/asterisk_1.8.13.0~dfsg-1.dsc
asterisk_1.8.13.0~dfsg-1_amd64.deb
to main/a/asterisk/asterisk_1.8.13.0~dfsg-1_amd64.deb
asterisk_1.8.13.0~dfsg.orig.tar.gz
to main/a/asterisk/asterisk_1.8.13.0~dfsg.orig.tar.gz
Changes:
asterisk (1:1.8.13.0~dfsg-1) unstable; urgency=high
.
* New upstream release.
- AST-2012-007 (CVE-2012-2947): Fix IAX receiving HOLD without
suggested MOH class crash (Closes: #675204).
- AST-2012-008 (CVE-2012-2948): remote crash issue in chan_skinny
(Closes: #67521).
- Patch gmime2.6 removed: merged upstream.
- Patch sparc32_disable removed: hacks removed from Upstream Makefile.
* Also pass LDFLAGS to menuselect (Closes: #664086 for real).
* Fully strip-out the ilbc code (Closes: #665938, #665937).
- Patch ilbc_disable to fix the build.
* Patch httpd_port: Fix port number of Asterisk httpd.
* While we're at it: Closes: #606959, which is a non-issue.
Override entries for your package:
asterisk-config_1.8.13.0~dfsg-1_all.deb - optional comm
asterisk-dahdi_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-dbg_1.8.13.0~dfsg-1_amd64.deb - extra debug
asterisk-dev_1.8.13.0~dfsg-1_all.deb - extra devel
asterisk-doc_1.8.13.0~dfsg-1_all.deb - extra doc
asterisk-mobile_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-modules_1.8.13.0~dfsg-1_amd64.deb - optional libs
asterisk-mp3_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-mysql_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-ooh323_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-voicemail-imapstorage_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-voicemail-odbcstorage_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk-voicemail_1.8.13.0~dfsg-1_amd64.deb - optional comm
asterisk_1.8.13.0~dfsg-1.dsc - source comm
asterisk_1.8.13.0~dfsg-1_amd64.deb - optional comm
Announcing to debian-devel-chan...@lists.debian.org
Closing bugs: 606959 664086 665937 665938 675204 67521
Thank you for your contribution to Debian.
_______________________________________________
Pkg-voip-maintainers mailing list
pkg-voip-maintain...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-voip-maintainers
--- End Message ---
