On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote: > Package: asterisk > Severity: grave > Tags: security patch upstream > > Hi, > > the following vulnerabilities were published for asterisk. > > CVE-2013-2685[0]: > Buffer Overflow Exploit Through SIP SDP Header > > CVE-2013-2686[1]: > Denial of Service in HTTP server > > CVE-2013-2264[2]: > Username disclosure in SIP channel driver > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you > doublecheck that squeeze, testing and wheezy are not affected?
According to the Upstream advisories, both are in effect for 1.8 . Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to 1.6.2 in Stable. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] http://security-tracker.debian.org/tracker/CVE-2013-2685 > http://downloads.asterisk.org/pub/security/AST-2013-001.html > [1] http://security-tracker.debian.org/tracker/CVE-2013-2686 > http://downloads.asterisk.org/pub/security/AST-2013-002.html > [2] http://security-tracker.debian.org/tracker/CVE-2013-2264 > http://downloads.asterisk.org/pub/security/AST-2013-003.html > [3] https://issues.asterisk.org/jira/browse/ASTERISK-20901 > > Please adjust the affected versions in the BTS as needed. -- Tzafrir Cohen icq#16849755 jabber:[email protected] +972-50-7952406 mailto:[email protected] http://www.xorcom.com iax:[email protected]/tzafrir -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
