Hi Benoit, On Fri, Aug 26, 2022 at 09:28:01AM +0200, BenoƮt Panizzon wrote: > Hi Salvatore > > > I'm not sure it make sense that the CVE-2019-15297 was used both for > > AST-2019-004 and AST-2021-006. I asked MITRE CNA to see if there is a > > reason not to assign a new CVE for AST-2021-006. > > > > I suspect many have missed otherwise the update through AST-2021-006 > > because did already tracked the CVE-2019-15297 / AST-2019-004 and > > updated packages accordingly (which happened in Debian with the > > 1:16.10.0~dfsg-1 and 1:16.2.1~dfsg-1+deb10u2 updates). > > Thank you for looking into the issue. You closed the bug. I'm not sure > what this now means as the issue is present in the actual debian > 'stable' version of Asterisk and can be exploited by a caller.
This is not a problem, BTS has version tracking and the bug is closed in a specific upper version containing the fix. Debian BTS can then close a bug in multiple version, e.g. when it get fixed as well in stable. https://bugs.debian.org/cgi-bin/version.cgi?collapse=1;absolute=0;fixed=asterisk%2F1%3A18.9.0~dfsg%2B~cs6.10.40431411-1;info=1;package=asterisk;found=asterisk%2F1%3A16.16.1~dfsg-1%2Bdeb11u1;found=asterisk%2F1%3A16.16.1~dfsg-1 > So is there going to be a security update for that issue? We have asterisk on the so called dsa-needed list, meaning it is aimed to have a security update for asterisk for bullseye: https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dsa-needed.txt Regards, Salvatore
