Hi Tzafrir On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote: > On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote: > > Package: asterisk > > Severity: grave > > Tags: security patch upstream > > > > Hi, > > > > the following vulnerabilities were published for asterisk. > > > > CVE-2013-2685[0]: > > Buffer Overflow Exploit Through SIP SDP Header > > > > CVE-2013-2686[1]: > > Denial of Service in HTTP server > > > > CVE-2013-2264[2]: > > Username disclosure in SIP channel driver > > > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you > > doublecheck that squeeze, testing and wheezy are not affected? > > According to the Upstream advisories, both are in effect for 1.8 . > Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to > 1.6.2 in Stable.
Thank you for confirming! (note my above comment was related only to one of the issues, CVE-2013-2685). Could you prepare updates to be included via unstable in wheezy? Thank you for your work! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
