On Fri, Aug 31, 2012 at 04:23:44PM +0300, Tzafrir Cohen wrote: > Regarding AST-2011-011 and Squeeze: > > It appears to be the result of wrong fixes for a memory leak (see commit > message below). I have not tries to apply the original memory leak fix > (r354889 is the one on branch 1.8) or a proper version of it on the the > version in Squeeze. Note that memory leak fixes normally don't get an > advisory and there are quite a few of them in the 1.8 branch so I'm not > sure I would bother just for this one. > > Short version: technically does not apply.
I've updated the Debian Security Tracker. > > CVE-2012-2186: > > http://downloads.digium.com/pub/security/AST-2012-012.html > > Note the wording. Issue is not compltely mitigated. There are still > methods of sneaking in unwanted functionality (e.g. through setting > Asterisk environment variables). Yes, I think the correct "fix" here is to point to he updated best practice documentation by upstream. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
