On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote:
> Hi,
> 
> On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for asterisk.
> > 
> > CVE-2012-5976[0]:
> > Crashes due to large stack allocations when using TCP
> > 
> > CVE-2012-5977[1]:
> > Denial of Service Through Exploitation of Device State Caching
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> > According to the advisories all 1.8.x versions seems affected.
> 
> Likewise is version 1.6.2 from Stable. I have fixes ready.

Ok, please upload to security-master once tests are sufficient.
 
> On a side note, I'm not sure why
> https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as
> open. The respective bug has been closed:
> As I mentioned before, I can change the default for alwaysauthreject,
> I'm just not sure this should be done on a Stable package.

It's marked as 

        [squeeze] - asterisk <no-dsa> (minor issue; can be addressed through 
configuration)

The tracker is correct in so far, that this isn't fixed in squeeze through
a code fix. If you provide a short text what people need to modify in their
config we can add it to the DSA text and use this as the "fix" for stable.

Cheers,
        Moritz


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to