Debian Bug report logs -
#704114
asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 28 Mar 2013 05:27:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions asterisk/1:1.6.2.9-2+squeeze10, asterisk/1:1.8.13.1~dfsg-1
Fixed in version asterisk/1:1.8.13.1~dfsg-2
Done: Tzafrir Cohen <tzafrir@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#704114
; Package asterisk
.
(Thu, 28 Mar 2013 05:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Thu, 28 Mar 2013 05:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: asterisk
Severity: grave
Tags: security patch upstream
Hi,
the following vulnerabilities were published for asterisk.
CVE-2013-2685[0]:
Buffer Overflow Exploit Through SIP SDP Header
CVE-2013-2686[1]:
Denial of Service in HTTP server
CVE-2013-2264[2]:
Username disclosure in SIP channel driver
For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
doublecheck that squeeze, testing and wheezy are not affected?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2013-2685
http://downloads.asterisk.org/pub/security/AST-2013-001.html
[1] http://security-tracker.debian.org/tracker/CVE-2013-2686
http://downloads.asterisk.org/pub/security/AST-2013-002.html
[2] http://security-tracker.debian.org/tracker/CVE-2013-2264
http://downloads.asterisk.org/pub/security/AST-2013-003.html
[3] https://issues.asterisk.org/jira/browse/ASTERISK-20901
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#704114
; Package asterisk
.
(Thu, 28 Mar 2013 07:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tzafrir Cohen <tzafrir.cohen@xorcom.com>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Thu, 28 Mar 2013 07:51:04 GMT) (full text, mbox, link).
Message #10 received at 704114@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> Package: asterisk
> Severity: grave
> Tags: security patch upstream
>
> Hi,
>
> the following vulnerabilities were published for asterisk.
>
> CVE-2013-2685[0]:
> Buffer Overflow Exploit Through SIP SDP Header
>
> CVE-2013-2686[1]:
> Denial of Service in HTTP server
>
> CVE-2013-2264[2]:
> Username disclosure in SIP channel driver
>
> For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> doublecheck that squeeze, testing and wheezy are not affected?
According to the Upstream advisories, both are in effect for 1.8 .
Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
1.6.2 in Stable.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] http://security-tracker.debian.org/tracker/CVE-2013-2685
> http://downloads.asterisk.org/pub/security/AST-2013-001.html
> [1] http://security-tracker.debian.org/tracker/CVE-2013-2686
> http://downloads.asterisk.org/pub/security/AST-2013-002.html
> [2] http://security-tracker.debian.org/tracker/CVE-2013-2264
> http://downloads.asterisk.org/pub/security/AST-2013-003.html
> [3] https://issues.asterisk.org/jira/browse/ASTERISK-20901
>
> Please adjust the affected versions in the BTS as needed.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen@xorcom.com
+972-50-7952406 mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com iax:guest@local.xorcom.com/tzafrir
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#704114
; Package asterisk
.
(Fri, 29 Mar 2013 05:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Fri, 29 Mar 2013 05:57:04 GMT) (full text, mbox, link).
Message #15 received at 704114@bugs.debian.org (full text, mbox, reply):
Hi Tzafrir
On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security patch upstream
> >
> > Hi,
> >
> > the following vulnerabilities were published for asterisk.
> >
> > CVE-2013-2685[0]:
> > Buffer Overflow Exploit Through SIP SDP Header
> >
> > CVE-2013-2686[1]:
> > Denial of Service in HTTP server
> >
> > CVE-2013-2264[2]:
> > Username disclosure in SIP channel driver
> >
> > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > doublecheck that squeeze, testing and wheezy are not affected?
>
> According to the Upstream advisories, both are in effect for 1.8 .
> Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> 1.6.2 in Stable.
Thank you for confirming! (note my above comment was related only to
one of the issues, CVE-2013-2685).
Could you prepare updates to be included via unstable in wheezy?
Thank you for your work!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#704114
; Package asterisk
.
(Fri, 05 Apr 2013 13:27:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Fri, 05 Apr 2013 13:27:09 GMT) (full text, mbox, link).
Message #20 received at 704114@bugs.debian.org (full text, mbox, reply):
Hi Tzafrir
On Fri, Mar 29, 2013 at 06:53:31AM +0100, Salvatore Bonaccorso wrote:
> Hi Tzafrir
>
> On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> > On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security patch upstream
> > >
> > > Hi,
> > >
> > > the following vulnerabilities were published for asterisk.
> > >
> > > CVE-2013-2685[0]:
> > > Buffer Overflow Exploit Through SIP SDP Header
> > >
> > > CVE-2013-2686[1]:
> > > Denial of Service in HTTP server
> > >
> > > CVE-2013-2264[2]:
> > > Username disclosure in SIP channel driver
> > >
> > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > > doublecheck that squeeze, testing and wheezy are not affected?
> >
> > According to the Upstream advisories, both are in effect for 1.8 .
> > Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> > 1.6.2 in Stable.
>
> Thank you for confirming! (note my above comment was related only to
> one of the issues, CVE-2013-2685).
>
> Could you prepare updates to be included via unstable in wheezy?
Ping? Did you had a chance to look at it already?
Thanks a lot, and
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#704114
; Package asterisk
.
(Sat, 06 Apr 2013 12:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Tzafrir Cohen <tzafrir.cohen@xorcom.com>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Sat, 06 Apr 2013 12:27:07 GMT) (full text, mbox, link).
Message #25 received at 704114@bugs.debian.org (full text, mbox, reply):
On Fri, Apr 05, 2013 at 03:24:29PM +0200, Salvatore Bonaccorso wrote:
> Hi Tzafrir
>
> On Fri, Mar 29, 2013 at 06:53:31AM +0100, Salvatore Bonaccorso wrote:
> > Hi Tzafrir
> >
> > On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> > > On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security patch upstream
> > > >
> > > > Hi,
> > > >
> > > > the following vulnerabilities were published for asterisk.
> > > >
> > > > CVE-2013-2685[0]:
> > > > Buffer Overflow Exploit Through SIP SDP Header
> > > >
> > > > CVE-2013-2686[1]:
> > > > Denial of Service in HTTP server
> > > >
> > > > CVE-2013-2264[2]:
> > > > Username disclosure in SIP channel driver
> > > >
> > > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > > > doublecheck that squeeze, testing and wheezy are not affected?
> > >
> > > According to the Upstream advisories, both are in effect for 1.8 .
> > > Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> > > 1.6.2 in Stable.
> >
> > Thank you for confirming! (note my above comment was related only to
> > one of the issues, CVE-2013-2685).
> >
> > Could you prepare updates to be included via unstable in wheezy?
>
> Ping? Did you had a chance to look at it already?
Update:
AST-2013-001 (CVE-2013-2685):
Not applicable to either Stable or Testing/Unstable:
new code not included yet even in 1.8.
AST-2013-002 (CVE-2013-2686):
Applies to Testing/Unstable but not to Stable:
Testing/Unstable: see patch from Upstream. Stable: httpd code does not
read HTTP POST variables.
AST-2013-003 (CVE-2013-2264):
Applies to both Testing and Unstable.
Testing/Unstable: see patch from Upstream. Stable: Patch backported.
For Unstable/Testing I include two other simple bug fixes. Both trivial
backports from later 1.8.x reevisions.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen@xorcom.com
+972-50-7952406 mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com iax:guest@local.xorcom.com/tzafrir
Reply sent
to Tzafrir Cohen <tzafrir@debian.org>
:
You have taken responsibility.
(Sat, 06 Apr 2013 12:51:23 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 06 Apr 2013 12:51:23 GMT) (full text, mbox, link).
Message #30 received at 704114-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.8.13.1~dfsg-2
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 704114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 06 Apr 2013 14:15:41 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.13.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
Closes: 545272 614786 697230 701505 704114
Changes:
asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
.
* Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
- Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
allocations when using TCP.
The following two fixes were also pulled in order to easily apply it:
- Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
- Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
- Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
Exploitation of Device State Caching
* Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505).
* README.Debian: document running the testsuite.
* Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
* Patches backported from Asterisk 1.8.20.2 (Closes: #704114):
- Patch AST-2013-002 (CVE-2012-2686): Prevent DoS in HTTP server with
a large POST.
- Patch AST-2013-003 (CVE-2012-2264): Prevent username disclosure in
SIP channel driver.
* Patch bluetooth_bind - fix breakage of chan_mobile (Closes: #614786).
Checksums-Sha1:
44deeaec180e8ea1a8b5fadcb437b47f8e0a9210 2997 asterisk_1.8.13.1~dfsg-2.dsc
47bf9b69eda991176312c44e547e18535e3d289f 383725 asterisk_1.8.13.1~dfsg-2.debian.tar.gz
682838a4acda2dd6ac6815a1e0e10dbbdf14a773 1990642 asterisk-doc_1.8.13.1~dfsg-2_all.deb
ecdd8185947fad10b842c43808f712fa10fb4147 958432 asterisk-dev_1.8.13.1~dfsg-2_all.deb
8fa7dff25ed7098053ad52bb7c4816a20af44a58 999336 asterisk-config_1.8.13.1~dfsg-2_all.deb
e0d01dfea3849b2231f4be962cd24d413d36a694 1773024 asterisk_1.8.13.1~dfsg-2_amd64.deb
2fc7e7b14e54911abafe25b88a96846b7157a3ad 2835034 asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
ad62ed168388d782add5a9a22b20c56572a326eb 924448 asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
1402f4b7688da5eb8edb8632ff5013f9252ec365 693284 asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
9ea2cc9639f3344f6af7745d9aec8cdf82025a1b 710612 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
42b7a0cd5d37eb16d02e2c60619b4f78428f4aeb 699496 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
1e2492cd001cc8bb145bf21ce4e3d9c5aa5e61d0 1037736 asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
5b6d842fce8c1a512091cf89e28262a9d70c544e 632852 asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
8e0bfa80bd7efa3e538d417da9349db2cac49c59 658036 asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
55e6eb43719cfc7e398d16818f80d4d9f7ddbe80 646350 asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
4bc9e9f3b1e262b4a18b1e9132ca8b9794378641 30063412 asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Checksums-Sha256:
89849cdc7dbfe6a58641d00f47451d8b14b33323d11869cffaf353cff7c3d324 2997 asterisk_1.8.13.1~dfsg-2.dsc
164fa8209cf09ca0d55ccff68ca5c0106925fb859778e4cdb8c11db70ded35a4 383725 asterisk_1.8.13.1~dfsg-2.debian.tar.gz
65fff2025ff9f2ca54ff831138f5fffc37c6468f718358b99694d350d384dd1d 1990642 asterisk-doc_1.8.13.1~dfsg-2_all.deb
6973b0577ae30a7eb5fe06ef203011cd559f4e4b523549663c36122af1a0a3d5 958432 asterisk-dev_1.8.13.1~dfsg-2_all.deb
2f0610a11d5cde2fc2a2250009040f7d2235d233ee0165cdda387ea9e1d09692 999336 asterisk-config_1.8.13.1~dfsg-2_all.deb
2f0ae2081b1274aa63393fdde89c263885938da012cecb719e583f903c2fff95 1773024 asterisk_1.8.13.1~dfsg-2_amd64.deb
15807f0011a6eaa52247e62cf7f53db2a0ebaae9ad036c5c326e587276d3bf2f 2835034 asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
455b97dc22c5d1115e7f48a29f7682b71f52099c514df0f75944b1e86dfdae00 924448 asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
729a9596ca446331d110aaf7abf20990e788ed5d0de7692af10b756432f2a7d8 693284 asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
d26a732649fcb6977fb678741335ee58c7d2cf82ce5c7e6708a174ccb86a144e 710612 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
5a15ec459ef6c20a4a1ed87d1aff9f2ba43c60f750499f70518344c111a1d70c 699496 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
eccce382fd00fb608609fa9a2060f870348c99fb73f35766a3f67523ac16e65b 1037736 asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
562d61c503610bcb0c68d1bdf8728ae448ef2c9c2a6665c5b7ce0a3773c15474 632852 asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
e83d2c9aced0eef64dd9cb29d5104dd8bd88c9617e484bc4a6fedec47b99ea34 658036 asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
1438f69b175baf1960ba7e8c8a2fe8453982d497f00197458a309ffd4f44c050 646350 asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
88d736ece78908ab1788b4c6e21ec35417bdfb9b1c285c56fd93b2a2223adb72 30063412 asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Files:
6417f1680400a558fc88d1fe3489a158 2997 comm optional asterisk_1.8.13.1~dfsg-2.dsc
e3e59cb57da45bfa59bd9d44e87fd8f9 383725 comm optional asterisk_1.8.13.1~dfsg-2.debian.tar.gz
6621a43552c9007fe39a9d64f36e009e 1990642 doc extra asterisk-doc_1.8.13.1~dfsg-2_all.deb
012ea04e3c90958b57f4f2af077a8e69 958432 devel extra asterisk-dev_1.8.13.1~dfsg-2_all.deb
f335f94a1cce11392816b7984a455d6a 999336 comm optional asterisk-config_1.8.13.1~dfsg-2_all.deb
e924e3d1ab119404299ef1626e5d9454 1773024 comm optional asterisk_1.8.13.1~dfsg-2_amd64.deb
12ba4a5c0535905238d6e4b8da6ad666 2835034 libs optional asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
ba55a3695011d6e53eb6a8cc15ea5402 924448 comm optional asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
8946a745e196176c5991ac6249141427 693284 comm optional asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
86992f9a500b3c59ae923a95f0683590 710612 comm optional asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
705ced4dc7b61c1a74577ff9ec1a8b3d 699496 comm optional asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
0ef84fe24f2c13ba539b59c6dbe9546b 1037736 comm optional asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
29a7c7638b4f0d8a017c9dbf79f6c34f 632852 comm optional asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
2273410dc983bcaac8506b64d6412b0d 658036 comm optional asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
65ac1a8e20069544dbc588b523777c38 646350 comm optional asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
9747dd54d35010cae24da3bab606187c 30063412 debug extra asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlFgEIoACgkQxArWdkN9MoskNQCeKhYqVSoK9vwajzANRV322clg
dw0AoK3CX1VlQjzsJQ54lReRt6awxnyE
=pWhD
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#704114
; Package asterisk
.
(Sun, 07 Apr 2013 19:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Sun, 07 Apr 2013 19:57:04 GMT) (full text, mbox, link).
Message #35 received at 704114@bugs.debian.org (full text, mbox, reply):
Hi Tzafrir
On Sat, Apr 06, 2013 at 03:25:20PM +0300, Tzafrir Cohen wrote:
> Update:
>
> AST-2013-001 (CVE-2013-2685):
> Not applicable to either Stable or Testing/Unstable:
> new code not included yet even in 1.8.
>
> AST-2013-002 (CVE-2013-2686):
> Applies to Testing/Unstable but not to Stable:
> Testing/Unstable: see patch from Upstream. Stable: httpd code does not
> read HTTP POST variables.
>
> AST-2013-003 (CVE-2013-2264):
> Applies to both Testing and Unstable.
> Testing/Unstable: see patch from Upstream. Stable: Patch backported.
>
> For Unstable/Testing I include two other simple bug fixes. Both trivial
> backports from later 1.8.x reevisions.
Thanks a lot for your updated information. I have updated according to
this and the closing version in unstable the security tracker.
[Btw, I think there where two typos for the CVE's in the latest
changelog for unstable, which might be worth fixing in a future upload
to unstable (only to keep the references correct, should have been
CVE-2013-2686 and CVE-2013-2264).]
Thanks for your work!
Regards,
Salvatore
Marked as found in versions asterisk/1:1.8.13.1~dfsg-1.
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org
.
(Mon, 08 Apr 2013 12:03:04 GMT) (full text, mbox, link).
Marked as found in versions asterisk/1:1.6.2.9-2+squeeze10.
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org
.
(Mon, 08 Apr 2013 12:03:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 07 May 2013 07:26:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:04:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.