On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote: > Hi, > > On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote: > > Package: asterisk > > Severity: grave > > Tags: security > > Justification: user security hole > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Hi, > > > > the following vulnerabilities were published for asterisk. > > > > CVE-2012-5976[0]: > > Crashes due to large stack allocations when using TCP > > > > CVE-2012-5977[1]: > > Denial of Service Through Exploitation of Device State Caching > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976 > > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977 > > > > Please adjust the affected versions in the BTS as needed. > > > > According to the advisories all 1.8.x versions seems affected. > > Likewise is version 1.6.2 from Stable. I have fixes ready.
Ok, please upload to security-master once tests are sufficient. > On a side note, I'm not sure why > https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as > open. The respective bug has been closed: > As I mentioned before, I can change the default for alwaysauthreject, > I'm just not sure this should be done on a Stable package. It's marked as [squeeze] - asterisk <no-dsa> (minor issue; can be addressed through configuration) The tracker is correct in so far, that this isn't fixed in squeeze through a code fix. If you provide a short text what people need to modify in their config we can add it to the DSA text and use this as the "fix" for stable. Cheers, Moritz -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

