This bug was fixed in the package asterisk - 1:1.8.13.1~dfsg-3ubuntu1 --------------- asterisk (1:1.8.13.1~dfsg-3ubuntu1) saucy; urgency=low
* Merge from Debian unstable. (LP: #1205644) Remaining changes: - debian/asterisk.init: + chown /dev/dahdi - debian/control, debian/rules: + Enable Hardening Wrapper (PIE and BIND_NOW). + Build against libical 1.0. - debian/patches/armhf-fixes: + Fix FTBFS on armhf. * Fixed security issues: - CVE-2012-5976 (LP: #1097687) - CVE-2012-5977 (LP: #1097691) - CVE-2013-2686 - CVE-2013-2264 asterisk (1:1.8.13.1~dfsg-3) unstable; urgency=high * Rewrtote sip.conf parts of AST-2012-014: dropped patches fix-sip-tcp-no-FILE and fix-sip-tls-leak. * Reverting other changes rejected by the release team: README.Debian, powerpcspe and fix_xmpp_19532 dropped (#545272 and #701505 reopened). asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high * Patches backported from Asterisk 1.8.19.1 (Closes: #697230): - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack allocations when using TCP. The following two fixes were also pulled in order to easily apply it: - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through Exploitation of Device State Caching * Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505). * README.Debian: document running the testsuite. * Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272). * Patches backported from Asterisk 1.8.20.2 (Closes: #704114): - Patch AST-2013-002 (CVE-2013-2686): Prevent DoS in HTTP server with a large POST. - Patch AST-2013-003 (CVE-2013-2264): Prevent username disclosure in SIP channel driver. * Patch bluetooth_bind - fix breakage of chan_mobile (Closes: #614786). -- Artur Rona <ari-tc...@tlen.pl> Sat, 27 Jul 2013 14:56:17 +0200 ** Changed in: asterisk (Ubuntu) Status: Incomplete => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-5976 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2264 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2686 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1097691 Title: (CVE-2012-5977) AST-2012-015 Denial of Service Through Exploitation of Device State Caching To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1097691/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs