** Description changed: (Tracking some collaborative work with persia) A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360 - Applying these fixes to Precise SRU would require cherrypicking. + The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1 + does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The + patch modifies code already changed by AST-2012-004 and other merged + changes from upstream 1.4 and 1.6 series (see r314628, r363141, + r364841). The change is too disruptive for inclusion in precise SRU, and + severity is only rated as "Minor". - All CVEs affect only 1.8.x series of asterisk, so no work is needed for - releases earlier than precise. + + Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package: + + [Impact] + DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls. + + [Test Cases] + Steps to reproduce each issue provided in upstream bug reports: + https://issues.asterisk.org/jira/browse/ASTERISK-19992 + https://issues.asterisk.org/jira/browse/ASTERISK-20052 + https://issues.asterisk.org/jira/browse/ASTERISK-20186 + + Testers will need to install both 'asterisk' and 'asterisk-voicemail' + packages. A simple asterisk configuration is attached to the bug report. + + [Regression Potential] + Minimal, no known regressions in asterisk issue tracker or Debian BTS. + + + Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from quantal). It includes some feature additions and many non-critical fixes (too many to SRU the whole package), sufficient for some users to prefer the more recent version. + + It is unlikely that cherrypicked patches for precise will apply cleanly + to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs + affect only 1.8.x series of asterisk, so no work is needed for releases + earlier than oneiric.
** Attachment added: "Simplistic Asterisk config for SRU testers" https://bugs.launchpad.net/debian/+source/asterisk/+bug/1048093/+attachment/3304538/+files/simple_asterisk_config.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
