Two security issues: AST-2012-010 / AST-2012-011

Debian Bug report logs - #680470
Two security issues: AST-2012-010 / AST-2012-011

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Two security issues: AST-2012-010 / AST-2012-011

Date: Fri, 06 Jul 2012 08:06:56 +0200

Package: asterisk
Severity: grave
Tags: security

http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)

1.6 is not mentioned in the "Affected versions", but I haven't validated whether
because it's no longer supported/tracked upstream or because the issues
are not present. Can you double-check?

For sid/wheezy, please remember that we're in freeze and only isolated fixes
are to be made instead of updating to a new full upstream release.

Once you've uploaded, please send an unblock request by filing a bug against
the release.debian.org pseudo package.

Cheers,
        Moritz

Message #12 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 680470@bugs.debian.org

Subject: Re: Two security issues: AST-2012-010 / AST-2012-011

Date: Thu, 30 Aug 2012 17:51:46 +0200

On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> 
> http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
> http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)
> 
> 1.6 is not mentioned in the "Affected versions", but I haven't validated whether
> because it's no longer supported/tracked upstream or because the issues
> are not present. Can you double-check?
> 
> For sid/wheezy, please remember that we're in freeze and only isolated fixes
> are to be made instead of updating to a new full upstream release.
> 
> Once you've uploaded, please send an unblock request by filing a bug against
> the release.debian.org pseudo package.

What's the status? This is marked pending for nearly two months now!
 
Cheers,
        Moritz

Message #17 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: Moritz Muehlenhoff <jmm@inutil.org>, 680470@bugs.debian.org

Subject: Re: Bug#680470: Two security issues: AST-2012-010 / AST-2012-011

Date: Thu, 30 Aug 2012 19:43:21 +0300

On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote:
> On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> > 
> > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
> > http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)
> > 
> > 1.6 is not mentioned in the "Affected versions", but I haven't validated whether
> > because it's no longer supported/tracked upstream or because the issues
> > are not present. Can you double-check?
> > 
> > For sid/wheezy, please remember that we're in freeze and only isolated fixes
> > are to be made instead of updating to a new full upstream release.
> > 
> > Once you've uploaded, please send an unblock request by filing a bug against
> > the release.debian.org pseudo package.
> 
> What's the status? This is marked pending for nearly two months now!

For some reason I had the impression we had 1.8.13.1 packaged.

I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the
fixes for those two issues:

http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log

For the record, they were fixed in the branch in:
http://svnview.digium.com/svn/asterisk?view=revision&revision=369652
http://svnview.digium.com/svn/asterisk?view=revision&revision=369436

Note, however, that today we had the following commits:
http://svnview.digium.com/svn/asterisk?view=revision&revision=372015
http://svnview.digium.com/svn/asterisk?view=revision&revision=371998

So this is juas a good a timing as any for a new package.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #22 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

Cc: 680470@bugs.debian.org

Subject: Re: Bug#680470: Two security issues: AST-2012-010 / AST-2012-011

Date: Fri, 31 Aug 2012 12:14:05 +0200

On Thu, Aug 30, 2012 at 07:43:21PM +0300, Tzafrir Cohen wrote:
> On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote:
> > On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security
> > > 
> > > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
> > > http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)
> > > 
> > > 1.6 is not mentioned in the "Affected versions", but I haven't validated whether
> > > because it's no longer supported/tracked upstream or because the issues
> > > are not present. Can you double-check?
> > > 
> > > For sid/wheezy, please remember that we're in freeze and only isolated fixes
> > > are to be made instead of updating to a new full upstream release.
> > > 
> > > Once you've uploaded, please send an unblock request by filing a bug against
> > > the release.debian.org pseudo package.
> > 
> > What's the status? This is marked pending for nearly two months now!
> 
> For some reason I had the impression we had 1.8.13.1 packaged.
> 
> I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the
> fixes for those two issues:
> 
> http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log
> 
> For the record, they were fixed in the branch in:
> http://svnview.digium.com/svn/asterisk?view=revision&revision=369652
> http://svnview.digium.com/svn/asterisk?view=revision&revision=369436
> 
> Note, however, that today we had the following commits:
> http://svnview.digium.com/svn/asterisk?view=revision&revision=372015
> http://svnview.digium.com/svn/asterisk?view=revision&revision=371998
> 
> So this is juas a good a timing as any for a new package.

Two new issues have been announced, we should incorporate these:

CVE-2012-2186:
http://downloads.digium.com/pub/security/AST-2012-012.html

CVE-2012-4737:
http://downloads.digium.com/pub/security/AST-2012-013.html

Cheers,
        Moritz

Message #27 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 680470@bugs.debian.org

Subject: Re: Bug#680470: Two security issues: AST-2012-010 / AST-2012-011

Date: Fri, 31 Aug 2012 16:23:44 +0300

On Fri, Aug 31, 2012 at 12:14:05PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Aug 30, 2012 at 07:43:21PM +0300, Tzafrir Cohen wrote:
> > On Thu, Aug 30, 2012 at 05:51:46PM +0200, Moritz Muehlenhoff wrote:
> > > On Fri, Jul 06, 2012 at 08:06:56AM +0200, Moritz Muehlenhoff wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > http://downloads.asterisk.org/pub/security/AST-2012-010.html (no CVE yet)
> > > > http://downloads.asterisk.org/pub/security/AST-2012-011.html (CVE-2012-3812)

Regarding AST-2011-011 and Squeeze:

It appears to be the result of wrong fixes for a memory leak (see commit
message below). I have not tries to apply the original memory leak fix
(r354889 is the one on branch 1.8) or a proper version of it on the the
version in Squeeze. Note that memory leak fixes normally don't get an
advisory and there are quite a few of them in the 1.8 branch so I'm not
sure I would bother just for this one.

Short version: technically does not apply.

> > > > 
> > > > 1.6 is not mentioned in the "Affected versions", but I haven't validated whether
> > > > because it's no longer supported/tracked upstream or because the issues
> > > > are not present. Can you double-check?
> > > > 
> > > > For sid/wheezy, please remember that we're in freeze and only isolated fixes
> > > > are to be made instead of updating to a new full upstream release.
> > > > 
> > > > Once you've uploaded, please send an unblock request by filing a bug against
> > > > the release.debian.org pseudo package.
> > > 
> > > What's the status? This is marked pending for nearly two months now!
> > 
> > For some reason I had the impression we had 1.8.13.1 packaged.
> > 
> > I would suggest to upload 1.8.13.1 , which is exactly 1.8.13.0 + the
> > fixes for those two issues:
> > 
> > http://svnview.digium.com/svn/asterisk/tags/1.8.13.1/?view=log
> > 
> > For the record, they were fixed in the branch in:
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=369652
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=369436
> > 
> > Note, however, that today we had the following commits:
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=372015
> > http://svnview.digium.com/svn/asterisk?view=revision&revision=371998
> > 
> > So this is juas a good a timing as any for a new package.
> 
> Two new issues have been announced, we should incorporate these:
> 
> CVE-2012-2186:
> http://downloads.digium.com/pub/security/AST-2012-012.html

Note the wording. Issue is not compltely mitigated. There are still
methods of sneaking in unwanted functionality (e.g. through setting
Asterisk environment variables).

> 
> CVE-2012-4737:
> http://downloads.digium.com/pub/security/AST-2012-013.html

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #32 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 680470@bugs.debian.org

Subject: Re: Bug#680470: Two security issues: AST-2012-010 / AST-2012-011

Date: Fri, 31 Aug 2012 16:28:53 +0300

On Fri, Aug 31, 2012 at 12:14:05PM +0200, Moritz Muehlenhoff wrote:

> CVE-2012-2186:
> http://downloads.digium.com/pub/security/AST-2012-012.html

I almost forgot: While patching, I noticed that the squeeze backport for
AST-2012-004 was incomplete. The part left out is:

http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-004-MixMonitor?revision=9938&view=markup

I added it in as well.

I have packages ready for Unstable (1.8.13.1 + patches) and Squeeze
(1.6.2.9-2+squeeze7).

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #37 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

Cc: 680470@bugs.debian.org

Subject: Re: Bug#680470: Two security issues: AST-2012-010 / AST-2012-011

Date: Fri, 31 Aug 2012 15:32:19 +0200

On Fri, Aug 31, 2012 at 04:23:44PM +0300, Tzafrir Cohen wrote:
> Regarding AST-2011-011 and Squeeze:
> 
> It appears to be the result of wrong fixes for a memory leak (see commit
> message below). I have not tries to apply the original memory leak fix
> (r354889 is the one on branch 1.8) or a proper version of it on the the
> version in Squeeze. Note that memory leak fixes normally don't get an
> advisory and there are quite a few of them in the 1.8 branch so I'm not
> sure I would bother just for this one.
> 
> Short version: technically does not apply.

I've updated the Debian Security Tracker.

> > CVE-2012-2186:
> > http://downloads.digium.com/pub/security/AST-2012-012.html
> 
> Note the wording. Issue is not compltely mitigated. There are still
> methods of sneaking in unwanted functionality (e.g. through setting
> Asterisk environment variables).

Yes, I think the correct "fix" here is to point to he updated
best practice documentation by upstream.

Cheers,
        Moritz

Message #42 received at 680470-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: 680470-close@bugs.debian.org

Subject: Bug#680470: fixed in asterisk 1:1.8.13.1~dfsg-1

Date: Sat, 01 Sep 2012 13:17:48 +0000

Source: asterisk
Source-Version: 1:1.8.13.1~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 680470@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 01 Sep 2012 04:44:12 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.13.1~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
Closes: 680470
Changes: 
 asterisk (1:1.8.13.1~dfsg-1) unstable; urgency=low
 .
   * New upstream release (Closes: #680470):
     - Fixes AST-2012-010 (CVE-2012-3863).
     - Fixes AST-2012-011 (CVE-2012-38612).
   * Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR
   * Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls
     by some IAX2 peers.
Checksums-Sha1: 
 666cbe474f86bce99b902789f6aa8b991c13024a 2997 asterisk_1.8.13.1~dfsg-1.dsc
 af724706092e1799a91a1f26f146f27af350a2f8 7454524 asterisk_1.8.13.1~dfsg.orig.tar.gz
 58f44aab767deb4070a1bfc8a7737e7915bac8c5 352734 asterisk_1.8.13.1~dfsg-1.debian.tar.gz
 a4dd43fcefc27138361103444ecea333fb533ee6 1988602 asterisk-doc_1.8.13.1~dfsg-1_all.deb
 dd7f48d872affbe8d3cbad9297876b10d27c25ff 957660 asterisk-dev_1.8.13.1~dfsg-1_all.deb
 675e18181804f1e054f7c6c7d01df1cd65a14c08 1003256 asterisk-config_1.8.13.1~dfsg-1_all.deb
 2def5e6981b17bd209244620f733073429b253b9 1770986 asterisk_1.8.13.1~dfsg-1_amd64.deb
 02c6da6faf9b1f7b1493a04c85b466114f8ae041 2831776 asterisk-modules_1.8.13.1~dfsg-1_amd64.deb
 5512aae6b8a00f41daae445c3831b6ecb56040b0 922740 asterisk-dahdi_1.8.13.1~dfsg-1_amd64.deb
 e192d8fab682b7d5c6d8935589f0606e285c3ace 692932 asterisk-voicemail_1.8.13.1~dfsg-1_amd64.deb
 e941a19804890541bd26174c371cc1e1b457d0d6 710168 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-1_amd64.deb
 1af68c73af687986ce233ceb75b972c392bf55ad 698998 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-1_amd64.deb
 d9ddea45d714af1e0ef8201ab12598269f59c7ce 1037196 asterisk-ooh423_1.8.13.1~dfsg-1_amd64.deb
 b491ce98a896a24c7e5e20e5e6404766110923b4 632382 asterisk-mp3_1.8.13.1~dfsg-1_amd64.deb
 a8c145cdf144e9222f1f4831e45ef7153581a182 658484 asterisk-mysql_1.8.13.1~dfsg-1_amd64.deb
 dfb163bc73433b905741484b01d6fc8bcdfd65fa 645868 asterisk-mobile_1.8.13.1~dfsg-1_amd64.deb
 bb09d651b92a537bafaafe5d3f7deeb57b814299 30043348 asterisk-dbg_1.8.13.1~dfsg-1_amd64.deb
Checksums-Sha256: 
 78cadeb3920ab0f91fe4bf3da07ce2cd2d7231512391ce4461b985dd75178036 2997 asterisk_1.8.13.1~dfsg-1.dsc
 7f6c8f42660de1e588eb1e583b33636342741e89ba5e8205eccb5abf608fbea2 7454524 asterisk_1.8.13.1~dfsg.orig.tar.gz
 d00dd2bdc6fa2e67890baf7c108b312c36e2285f2e2a10377a291da407b872f3 352734 asterisk_1.8.13.1~dfsg-1.debian.tar.gz
 139da75627dfa37a3307c6ef32e111b4e9952d4e02899f2544f8559acc1e2e36 1988602 asterisk-doc_1.8.13.1~dfsg-1_all.deb
 07bb138bed324472e3b8144d5b082a8c1b8697766b4db3f68f58ce02f07c3a38 957660 asterisk-dev_1.8.13.1~dfsg-1_all.deb
 40cd80f9d2edc47b32643a65e247c5ad109722cac0e29ae9aff2de86c1ce4358 1003256 asterisk-config_1.8.13.1~dfsg-1_all.deb
 95f53e5d7013bb95e1783eb029370d2f6645f97a05117c183dc448fd52f2ef62 1770986 asterisk_1.8.13.1~dfsg-1_amd64.deb
 4983397f46561796275de550dc1214a024944ca1d80a411516820590b12f462a 2831776 asterisk-modules_1.8.13.1~dfsg-1_amd64.deb
 939fc52e2b84a8b7f6b1b4a3436915c9bdac0c2c10ac3edb104d3b796f5b47ab 922740 asterisk-dahdi_1.8.13.1~dfsg-1_amd64.deb
 a5be087ad315de08a35e4d0d43f1556e408a634f0664df54baa107f418913c45 692932 asterisk-voicemail_1.8.13.1~dfsg-1_amd64.deb
 039bd330194f087de56c4d6c17e27510834934012b43bc8380aed47a93cd2859 710168 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-1_amd64.deb
 243bd8a693c708ed955264036d7098da5fac71aaad26000d008f5de8d78602c2 698998 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-1_amd64.deb
 d1a5931c02bde8048e3cd09476112c8407dc2afdbb9951fa481abcbbec90382b 1037196 asterisk-ooh423_1.8.13.1~dfsg-1_amd64.deb
 8f4660e1beca7d6b93e7d68327f62e27c1aedcd1a8a20ff937aee0deb7c0eaa3 632382 asterisk-mp3_1.8.13.1~dfsg-1_amd64.deb
 66aa5d5377df36f58168957c5140e0423838dbf9f295c31e1019286f12afcdd2 658484 asterisk-mysql_1.8.13.1~dfsg-1_amd64.deb
 ca1dcb6e91a5474719bc91320aa3d399e618f801de480cbad77d6f0f6ab35013 645868 asterisk-mobile_1.8.13.1~dfsg-1_amd64.deb
 430db7925bdc492510b32f066ce13d26ee6c10a3a6c807745d064be814679d31 30043348 asterisk-dbg_1.8.13.1~dfsg-1_amd64.deb
Files: 
 3180af743e39a108e539be0caf506b6d 2997 comm optional asterisk_1.8.13.1~dfsg-1.dsc
 774a4eef40023976ef861eb5d182b9d4 7454524 comm optional asterisk_1.8.13.1~dfsg.orig.tar.gz
 0b7539191241ed11bc9eee229585c9b8 352734 comm optional asterisk_1.8.13.1~dfsg-1.debian.tar.gz
 4d28c8a6367bc8aafc48ee4823165219 1988602 doc extra asterisk-doc_1.8.13.1~dfsg-1_all.deb
 e84d97ff8741d1afa585261aacb5a8a8 957660 devel extra asterisk-dev_1.8.13.1~dfsg-1_all.deb
 76d9f164b3d69a7d0008584322a90cef 1003256 comm optional asterisk-config_1.8.13.1~dfsg-1_all.deb
 4d651200a8692d8debbe60512eabc2f5 1770986 comm optional asterisk_1.8.13.1~dfsg-1_amd64.deb
 ab26162cc4f8120c0818f22a7c42bf6d 2831776 libs optional asterisk-modules_1.8.13.1~dfsg-1_amd64.deb
 846e7c0bf386edb1d99217df73e197b0 922740 comm optional asterisk-dahdi_1.8.13.1~dfsg-1_amd64.deb
 88bd8573cc3509404f151d2be1d6c0d2 692932 comm optional asterisk-voicemail_1.8.13.1~dfsg-1_amd64.deb
 778851a97bf2960efd5974e2a46baed3 710168 comm optional asterisk-voicemail-imapstorage_1.8.13.1~dfsg-1_amd64.deb
 fb1c68cd93d173970e3a33589019d189 698998 comm optional asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-1_amd64.deb
 1aa8dd6fbf99f0cf760f60719089ba7e 1037196 comm optional asterisk-ooh423_1.8.13.1~dfsg-1_amd64.deb
 33302d585cb85f886e82df26ffba2bff 632382 comm optional asterisk-mp3_1.8.13.1~dfsg-1_amd64.deb
 7aed4bf4bef7348eea1d8971c6d4646b 658484 comm optional asterisk-mysql_1.8.13.1~dfsg-1_amd64.deb
 d8094e2acdcc08b6e24e8a3f7784065d 645868 comm optional asterisk-mobile_1.8.13.1~dfsg-1_amd64.deb
 cb26cf777f3f003849f9b10c6231643e 30043348 debug extra asterisk-dbg_1.8.13.1~dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBBeiwACgkQxArWdkN9MoshwACeK5h+ZcWUmJL2LyvexnjWZgZh
tj0AoK0K10Y92vRKaCHQKdyQo3aP95W7
=TiQb
-----END PGP SIGNATURE-----

Message #47 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Rebekah Chaneau <rchaneau@gmail.com>

To: tzafrir.cohen@xorcom.com

Cc: 680470@bugs.debian.org

Subject: Re: Bug#680470: Two security issues: AST-2012-010 / AST-2012-011

Date: Wed, 19 Sep 2012 03:51:37 -0400

[Message part 1 (text/plain, inline)]

Hi,

asterisk 1:1.6.2.9-2+squeeze7 breaks SIP.

The patch AST-2012-010 includes a call to the function sip_pvt_lock_full,
however this function is not defined in chan_sip.c in Asterisk 1.6.
http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-010?revision=9892&view=markup

This means the chan_sip module in 1.6.2.9-2+squeeze7 won't load and SIP
does not work. :-(

WARNING[9081] loader.c: Error loading module 'chan_sip.so':
/usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full

- Rebekah

[Message part 2 (text/html, inline)]

Message #52 received at 680470@bugs.debian.org (full text, mbox, reply):

From: Victor Seva <linuxmaniac@torreviejawireless.org>

To: 680470@bugs.debian.org, 688053@bugs.debian.org

Cc: Rebekah Chaneau <rchaneau@gmail.com>, tzafrir.cohen@xorcom.com

Subject: Re: Bug#680470: Two security issues: AST-2012-010 / AST-2012-011

Date: Wed, 19 Sep 2012 17:56:14 +0200

On Wed, 19 Sep 2012 03:51:37 -0400 Rebekah Chaneau wrote:
>Hi,
>
>asterisk 1:1.6.2.9-2+squeeze7 breaks SIP.
>
>The patch AST-2012-010 includes a call to the function sip_pvt_lock_full,
>however this function is not defined in chan_sip.c in Asterisk 1.6.
>http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-010?revision=9892&view=markup
>
>This means the chan_sip module in 1.6.2.9-2+squeeze7 won't load and SIP
>does not work. :-(
>
>WARNING[9081] loader.c: Error loading module 'chan_sip.so':
>/usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full

Hi,

You are totally right. This is my mistake.

I've updated the patch on the svn and I'm waiting for any pkg-voip DD
member to coordinate the next step in order to fix the problem ASAP.

Sorry for all the trouble

Send a report that this bug log contains spam.