On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote: > Package: asterisk > Severity: grave > Tags: security patch upstream > > Hi, > > the following vulnerabilities were published for asterisk. > > CVE-2013-2685[0]: > Buffer Overflow Exploit Through SIP SDP Header > > CVE-2013-2686[1]: > Denial of Service in HTTP server > > CVE-2013-2264[2]: > Username disclosure in SIP channel driver > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you > doublecheck that squeeze, testing and wheezy are not affected?
According to the Upstream advisories, both are in effect for 1.8 . Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to 1.6.2 in Stable. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] http://security-tracker.debian.org/tracker/CVE-2013-2685 > http://downloads.asterisk.org/pub/security/AST-2013-001.html > [1] http://security-tracker.debian.org/tracker/CVE-2013-2686 > http://downloads.asterisk.org/pub/security/AST-2013-002.html > [2] http://security-tracker.debian.org/tracker/CVE-2013-2264 > http://downloads.asterisk.org/pub/security/AST-2013-003.html > [3] https://issues.asterisk.org/jira/browse/ASTERISK-20901 > > Please adjust the affected versions in the BTS as needed. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
