On Fri, Aug 31, 2012 at 12:14:05PM +0200, Moritz Muehlenhoff wrote: > On Thu, Aug 30, 2012 at 07:43:21PM +0300, Tzafrir Cohen wrote: > > On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote: > > > On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote: > > > > Package: asterisk > > > > Severity: grave > > > > Tags: security > > > > > > > > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE > > > > yet) > > > > http://downloads.asterisk.org/pub/security/AST-2012-011.html > > > > (CVE-2012-3812)
Regarding AST-2011-011 and Squeeze: It appears to be the result of wrong fixes for a memory leak (see commit message below). I have not tries to apply the original memory leak fix (r354889 is the one on branch 1.8) or a proper version of it on the the version in Squeeze. Note that memory leak fixes normally don't get an advisory and there are quite a few of them in the 1.8 branch so I'm not sure I would bother just for this one. Short version: technically does not apply. > > > > > > > > 1.6 is not mentioned in the "Affected versions", but I haven't > > > > validated whether > > > > because it's no longer supported/tracked upstream or because the issues > > > > are not present. Can you double-check? > > > > > > > > For sid/wheezy, please remember that we're in freeze and only isolated > > > > fixes > > > > are to be made instead of updating to a new full upstream release. > > > > > > > > Once you've uploaded, please send an unblock request by filing a bug > > > > against > > > > the release.debian.org pseudo package. > > > > > > What's the status? This is marked pending for nearly two months now! > > > > For some reason I had the impression we had 1.8.13.1 packaged. > > > > I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the > > fixes for those two issues: > > > > http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log > > > > For the record, they were fixed in the branch in: > > http://svnview.digium.com/svn/asterisk?view=revision&revision=369652 > > http://svnview.digium.com/svn/asterisk?view=revision&revision=369436 > > > > Note, however, that today we had the following commits: > > http://svnview.digium.com/svn/asterisk?view=revision&revision=372015 > > http://svnview.digium.com/svn/asterisk?view=revision&revision=371998 > > > > So this is juas a good a timing as any for a new package. > > Two new issues have been announced, we should incorporate these: > > CVE-2012-2186: > http://downloads.digium.com/pub/security/AST-2012-012.html Note the wording. Issue is not compltely mitigated. There are still methods of sneaking in unwanted functionality (e.g. through setting Asterisk environment variables). > > CVE-2012-4737: > http://downloads.digium.com/pub/security/AST-2012-013.html -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
