On Thu, Aug 30, 2012 at 07:43:21PM +0300, Tzafrir Cohen wrote: > On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote: > > On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote: > > > Package: asterisk > > > Severity: grave > > > Tags: security > > > > > > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet) > > > http://downloads.asterisk.org/pub/security/AST-2012-011.html > > > (CVE-2012-3812) > > > > > > 1.6 is not mentioned in the "Affected versions", but I haven't validated > > > whether > > > because it's no longer supported/tracked upstream or because the issues > > > are not present. Can you double-check? > > > > > > For sid/wheezy, please remember that we're in freeze and only isolated > > > fixes > > > are to be made instead of updating to a new full upstream release. > > > > > > Once you've uploaded, please send an unblock request by filing a bug > > > against > > > the release.debian.org pseudo package. > > > > What's the status? This is marked pending for nearly two months now! > > For some reason I had the impression we had 1.8.13.1 packaged. > > I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the > fixes for those two issues: > > http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log > > For the record, they were fixed in the branch in: > http://svnview.digium.com/svn/asterisk?view=revision&revision=369652 > http://svnview.digium.com/svn/asterisk?view=revision&revision=369436 > > Note, however, that today we had the following commits: > http://svnview.digium.com/svn/asterisk?view=revision&revision=372015 > http://svnview.digium.com/svn/asterisk?view=revision&revision=371998 > > So this is juas a good a timing as any for a new package.
Two new issues have been announced, we should incorporate these: CVE-2012-2186: http://downloads.digium.com/pub/security/AST-2012-012.html CVE-2012-4737: http://downloads.digium.com/pub/security/AST-2012-013.html Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
