Debian Bug report logs -
#539473
CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Sat, 1 Aug 2009 09:00:02 UTC
Severity: serious
Tags: patch, security
Found in version asterisk/1:1.6.2.0~dfsg~beta3-1
Fixed in version asterisk/1:1.6.2.0~dfsg~rc1-1
Done: Faidon Liambotis <paravoid@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#539473
; Package asterisk
.
(Sat, 01 Aug 2009 09:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Sat, 01 Aug 2009 09:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: asterisk
Version: 1:1.6.2.0~dfsg~beta3-1
Severity: serious
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.
CVE-2009-2651[0]:
| main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote
| attackers to cause a denial of service (crash) via an RTP text frame
| without a certain delimiter, which triggers a NULL pointer dereference
| and the subsequent calculation of an invalid pointer.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651
http://security-tracker.debian.net/tracker/CVE-2009-2651
http://downloads.asterisk.org/pub/security/AST-2009-004.html
Patch: http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp0A3oACgkQNxpp46476arl4ACdH0o5O/dZ4iQfOEEeMIWrKGVa
zEMAnjHCiRqFue+b7dRArjbCINLwLTXJ
=plQS
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#539473
; Package asterisk
.
(Sat, 12 Sep 2009 21:48:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Tzafrir Cohen <tzafrir.cohen@xorcom.com>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Sat, 12 Sep 2009 21:48:13 GMT) (full text, mbox, link).
Message #10 received at 539473@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.35lenny3
# via tagpending
#
# asterisk (1:1.6.2.0~dfsg~rc1-1) UNRELEASED; urgency=low
#
# * New upstream release.
# - Fixes CVE-2009-2726 aka AST-2009-005 (Closes: #541441).
# - Ship CC BY-SA 3.0 licensed music-on-hold sounds, replacing the old
# non-free FreePlay Music that were never distributed by Debian.
# - Removed patches/makefile_appdocs_dtd (merged upstream) and
# patches/disable_moh (obsoleted, see above).
# * Fix FTBFS on armel. (Closes: #532971)
# * Fix name of voicemail 'openssl' dep. (Thomas Renard) (Closes: #539150)
# * Patch AST-2009-006: Closes: #539473 but breaks IAX2 compatibility.
package asterisk-dbg asterisk-config asterisk-doc asterisk-dev asterisk asterisk-sounds-main asterisk-h423
tags 541441 + pending
tags 532971 + pending
tags 539150 + pending
tags 539473 + pending
Added tag(s) pending.
Request was from Tzafrir Cohen <tzafrir.cohen@xorcom.com>
to control@bugs.debian.org
.
(Sat, 12 Sep 2009 21:48:19 GMT) (full text, mbox, link).
Reply sent
to Faidon Liambotis <paravoid@debian.org>
:
You have taken responsibility.
(Sun, 13 Sep 2009 00:24:14 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>
:
Bug acknowledged by developer.
(Sun, 13 Sep 2009 00:24:14 GMT) (full text, mbox, link).
Message #17 received at 539473-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.6.2.0~dfsg~rc1-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
to pool/main/a/asterisk/asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
to pool/main/a/asterisk/asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
to pool/main/a/asterisk/asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
to pool/main/a/asterisk/asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
to pool/main/a/asterisk/asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
to pool/main/a/asterisk/asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
asterisk_1.6.2.0~dfsg~rc1-1.dsc
to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1.dsc
asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
to pool/main/a/asterisk/asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 539473@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 13 Sep 2009 02:22:17 +0300
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.2.0~dfsg~rc1-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h423 - H.323 protocol support for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 532971 539150 539473 541441
Changes:
asterisk (1:1.6.2.0~dfsg~rc1-1) unstable; urgency=low
.
[ Faidon Liambotis ]
* New upstream release.
- Fixes CVE-2009-2726 aka AST-2009-005 (Closes: #541441).
- Ship CC BY-SA 3.0 licensed music-on-hold sounds, replacing the old
non-free FreePlay Music that were never distributed by Debian.
- Removed patches/makefile_appdocs_dtd (merged upstream) and
patches/disable_moh (obsoleted, see above).
* Fix FTBFS on armel. (Closes: #532971)
* Bump Standards-Version to 3.8.3, no changes needed.
* Provides: asterisk-1.6.2, instead of 1.6.1; there are no ABI gurantees
between 1.6.x releases.
* Remove references of Section: comm in individual binary packages as it is
inherited from the source package.
.
[ Tzafrir Cohen ]
* Patch hardware_dtmf_mute_fix removed: Applied upstream.
* No need for a separate app_directory_odbc (will use app_voicemail_odbc).
* Fix name of voicemail 'openssl' dep. (Thomas Renard) (Closes: #539150)
* Patch AST-2009-006: breaks IAX2 compatibility, note it in NEWS.Debian.
(Closes: #539473)
Checksums-Sha1:
e20967a93e0587d5f3e10772d4184307acac1883 2102 asterisk_1.6.2.0~dfsg~rc1-1.dsc
991fc1f0a82f2388302c38e553287a357db3c4b2 22626309 asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
8065b96a58675496e55bfc5b6a538739e6cf5780 80269 asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
bbfbaee5599eff515f669645e10c7a37e04fbd9e 1619684 asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
8a5f5e6591f1f08a79a336f7674d68ddc7907f14 532718 asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
58301afdd738849a0454d23d11a127a8b4531e1a 2042140 asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
c330f74e8abc7b6abb1508ab79c1c0da157e7fcb 601162 asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
81814709d14270f5a48a40b8b8e5d5871cbe243b 3364074 asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
e040369c02de4abdb4aba39bf0d514cf76915935 427472 asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
b3452fabc0abc28e42d4dcfb9e3f8b54dbd71f6a 21247064 asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
Checksums-Sha256:
e174918021c752cbe2a8eba17c41d1f2899e2289795538de5dd1ce148a0f228f 2102 asterisk_1.6.2.0~dfsg~rc1-1.dsc
f6c912954add4b515e9bc9bc8f9d9055f7b8ff011a85d43e649a86143e86b43f 22626309 asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
0f56079e3ae5cb49ac285610d3fb2c8f6b1ddbd4ca25e29d8ce69d045589fb57 80269 asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
b39b8cb1f0ce978557a5111ac9683659f27c32d140617a2f22fa22cf32a03095 1619684 asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
56436524855458954f54d1363fd51c87e6cfa728069f83a0e63643e0bc0e0900 532718 asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
165fdaba87dd7d345a48d8564cf62e8176d43a022dd3f676924982fcca74bd1c 2042140 asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
b8cf7703b9c278a63fe5b9f077fa59b554e7430c8c7a363864d2dae9fdf5923f 601162 asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
30e6dc5d329e49751b523c35d1fddabd99ec454defb2e0136c40fd4fe9ef3412 3364074 asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
6e8b500c2d53f0507594c8b7eaee0d17e03ecc980999ce6d8d7f3b62025b0f7e 427472 asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
40b9dcb82fd967d6353e255e3659f4b0d5d9257478d129a74003fd91fb23dac1 21247064 asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
Files:
9cef842ff291527a5a7230d97a1a7242 2102 comm optional asterisk_1.6.2.0~dfsg~rc1-1.dsc
2db6571b1cc0fd5d1f8851424d6d343a 22626309 comm optional asterisk_1.6.2.0~dfsg~rc1.orig.tar.gz
e8a6ae097e9624d9ee403f199a3b075d 80269 comm optional asterisk_1.6.2.0~dfsg~rc1-1.diff.gz
36ee42bb54fea845e4c35c6dcfd36309 1619684 doc extra asterisk-doc_1.6.2.0~dfsg~rc1-1_all.deb
719fcf609e028969454c309a9aaa78ab 532718 devel extra asterisk-dev_1.6.2.0~dfsg~rc1-1_all.deb
2ab2f7dfe786c5bf23a4e8617e9e2f29 2042140 comm optional asterisk-sounds-main_1.6.2.0~dfsg~rc1-1_all.deb
b10be7705922db03c945aa8037a3444c 601162 comm optional asterisk-config_1.6.2.0~dfsg~rc1-1_all.deb
dd66e995cf2ec8ecae412bd618653b6c 3364074 comm optional asterisk_1.6.2.0~dfsg~rc1-1_i386.deb
e9e34fa93d5dda4f42cf5cc242c4b6d0 427472 comm optional asterisk-h423_1.6.2.0~dfsg~rc1-1_i386.deb
81b4b8207e6030d18c572433602aeb36 21247064 debug extra asterisk-dbg_1.6.2.0~dfsg~rc1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqsM+oACgkQVty5d8XpUzMQOACfff2J7r9h4VzyH8Pplv0qwujw
y1wAnAki7MjDlukPnIhM9qOz6Tn6Wo5A
=Ea4V
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#539473
; Package asterisk
.
(Wed, 16 Sep 2009 19:18:37 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Wed, 16 Sep 2009 19:18:37 GMT) (full text, mbox, link).
Message #22 received at 539473@bugs.debian.org (full text, mbox, reply):
On Sat, Aug 01, 2009 at 10:57:33AM +0200, Giuseppe Iuculano wrote:
> Package: asterisk
> Version: 1:1.6.2.0~dfsg~beta3-1
> Severity: serious
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for asterisk.
>
> CVE-2009-2651[0]:
> | main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote
> | attackers to cause a denial of service (crash) via an RTP text frame
> | without a certain delimiter, which triggers a NULL pointer dereference
> | and the subsequent calculation of an invalid pointer.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651
> http://security-tracker.debian.net/tracker/CVE-2009-2651
> http://downloads.asterisk.org/pub/security/AST-2009-004.html
> Patch: http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt
Asterisk maintainers, what should be done about stable? Would it
make sense to update the stable version to 1.4.26.2 in a point update?
(IIRC there's still a performance regression affecting Lenny from
a previous security update?)
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#539473
; Package asterisk
.
(Wed, 16 Sep 2009 20:24:25 GMT) (full text, mbox, link).
Acknowledgement sent
to Faidon Liambotis <paravoid@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Wed, 16 Sep 2009 20:24:25 GMT) (full text, mbox, link).
Message #27 received at 539473@bugs.debian.org (full text, mbox, reply):
Hi,
Moritz Muehlenhoff wrote:
> Asterisk maintainers, what should be done about stable? Would it
> make sense to update the stable version to 1.4.26.2 in a point update?
> (IIRC there's still a performance regression affecting Lenny from
> a previous security update?)
This particular vulnerability does not affect lenny/1.4.
There hasn't been a security update for lenny yet, perhaps you're
thinking etch?
You are right that we should do an update for a point release of lenny
though to address a minor information disclosure vulnerability[1], plus
some other non-security related bugs. However, I'd like to avoid
upgrading to a newer 1.4.x release but backport changes instead; we used
to heavily patch our sources and changing the upstream release is prone
to errors.
As for etch, the current version should be affected by multiple
vulnerabilities (information disclosure *and* remote DoS) and I'm
currently unable to properly take care of them and test it. Unless a
comaintainer steps up (please people, do!) I'd more inclined to suggest
a premature end of security support (are there precedents for this?)
Thanks,
Faidon
1: http://downloads.asterisk.org/pub/security/AST-2009-001.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#539473
; Package asterisk
.
(Sun, 04 Oct 2009 19:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Sun, 04 Oct 2009 19:33:02 GMT) (full text, mbox, link).
Message #32 received at 539473@bugs.debian.org (full text, mbox, reply):
Sorry for the late followup, I've been on vacation.
On Wed, Sep 16, 2009 at 11:21:39PM +0300, Faidon Liambotis wrote:
> Hi,
>
> Moritz Muehlenhoff wrote:
> > Asterisk maintainers, what should be done about stable? Would it
> > make sense to update the stable version to 1.4.26.2 in a point update?
> > (IIRC there's still a performance regression affecting Lenny from
> > a previous security update?)
> This particular vulnerability does not affect lenny/1.4.
>
> There hasn't been a security update for lenny yet, perhaps you're
> thinking etch?
Yes, I seem to have confused this.
> You are right that we should do an update for a point release of lenny
> though to address a minor information disclosure vulnerability[1], plus
> some other non-security related bugs. However, I'd like to avoid
> upgrading to a newer 1.4.x release but backport changes instead; we used
> to heavily patch our sources and changing the upstream release is prone
> to errors.
Fine with me.
> As for etch, the current version should be affected by multiple
> vulnerabilities (information disclosure *and* remote DoS) and I'm
> currently unable to properly take care of them and test it. Unless a
> comaintainer steps up (please people, do!) I'd more inclined to suggest
> a premature end of security support (are there precedents for this?)
We can do that, yes. The are some precedents, like rails or Mozilla.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#539473
; Package asterisk
.
(Mon, 05 Oct 2009 12:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Faidon Liambotis <paravoid@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Mon, 05 Oct 2009 12:42:03 GMT) (full text, mbox, link).
Message #37 received at 539473@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff wrote:
>> You are right that we should do an update for a point release of lenny
>> though to address a minor information disclosure vulnerability[1], plus
>> some other non-security related bugs. However, I'd like to avoid
>> upgrading to a newer 1.4.x release but backport changes instead; we used
>> to heavily patch our sources and changing the upstream release is prone
>> to errors.
>
> Fine with me.
OK, will do soon.
>> As for etch, the current version should be affected by multiple
>> vulnerabilities (information disclosure *and* remote DoS) and I'm
>> currently unable to properly take care of them and test it. Unless a
>> comaintainer steps up (please people, do!) I'd more inclined to suggest
>> a premature end of security support (are there precedents for this?)
>
> We can do that, yes. The are some precedents, like rails or Mozilla.
Hm, OK, I'll let you know in a few days.
I guess an e-mail to security@d.o would be sufficient?
Thanks,
Faidon
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#539473
; Package asterisk
.
(Mon, 05 Oct 2009 22:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Mon, 05 Oct 2009 22:09:03 GMT) (full text, mbox, link).
Message #42 received at 539473@bugs.debian.org (full text, mbox, reply):
On Mon, Oct 05, 2009 at 03:02:55PM +0300, Faidon Liambotis wrote:
> Moritz Muehlenhoff wrote:
> >> You are right that we should do an update for a point release of lenny
> >> though to address a minor information disclosure vulnerability[1], plus
> >> some other non-security related bugs. However, I'd like to avoid
> >> upgrading to a newer 1.4.x release but backport changes instead; we used
> >> to heavily patch our sources and changing the upstream release is prone
> >> to errors.
> >
> > Fine with me.
> OK, will do soon.
>
> >> As for etch, the current version should be affected by multiple
> >> vulnerabilities (information disclosure *and* remote DoS) and I'm
> >> currently unable to properly take care of them and test it. Unless a
> >> comaintainer steps up (please people, do!) I'd more inclined to suggest
> >> a premature end of security support (are there precedents for this?)
> >
> > We can do that, yes. The are some precedents, like rails or Mozilla.
> Hm, OK, I'll let you know in a few days.
> I guess an e-mail to security@d.o would be sufficient?
We can announce the EOL for Etch when the next Asterisk DSA appears for Lenny,
but feel free to post to debian-securityl.d.o earlier.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 03 Nov 2009 07:42:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:04:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.