Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Moritz Muehlenhoff wrote: You are right that we should do an update for a point release of lenny though to address a minor information disclosure vulnerability[1], plus some other non-security related bugs. However, I'd like to avoid upgrading to a newer 1.4.x release but backport changes instead; we used to heavily patch our sources and changing the upstream release is prone to errors. Fine with me. OK, will do soon. As for etch, the current version should be affected by multiple vulnerabilities (information disclosure *and* remote DoS) and I'm currently unable to properly take care of them and test it. Unless a comaintainer steps up (please people, do!) I'd more inclined to suggest a premature end of security support (are there precedents for this?) We can do that, yes. The are some precedents, like rails or Mozilla. Hm, OK, I'll let you know in a few days. I guess an e-mail to secur...@d.o would be sufficient? Thanks, Faidon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
On Mon, Oct 05, 2009 at 03:02:55PM +0300, Faidon Liambotis wrote: Moritz Muehlenhoff wrote: You are right that we should do an update for a point release of lenny though to address a minor information disclosure vulnerability[1], plus some other non-security related bugs. However, I'd like to avoid upgrading to a newer 1.4.x release but backport changes instead; we used to heavily patch our sources and changing the upstream release is prone to errors. Fine with me. OK, will do soon. As for etch, the current version should be affected by multiple vulnerabilities (information disclosure *and* remote DoS) and I'm currently unable to properly take care of them and test it. Unless a comaintainer steps up (please people, do!) I'd more inclined to suggest a premature end of security support (are there precedents for this?) We can do that, yes. The are some precedents, like rails or Mozilla. Hm, OK, I'll let you know in a few days. I guess an e-mail to secur...@d.o would be sufficient? We can announce the EOL for Etch when the next Asterisk DSA appears for Lenny, but feel free to post to debian-securityl.d.o earlier. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Sorry for the late followup, I've been on vacation. On Wed, Sep 16, 2009 at 11:21:39PM +0300, Faidon Liambotis wrote: Hi, Moritz Muehlenhoff wrote: Asterisk maintainers, what should be done about stable? Would it make sense to update the stable version to 1.4.26.2 in a point update? (IIRC there's still a performance regression affecting Lenny from a previous security update?) This particular vulnerability does not affect lenny/1.4. There hasn't been a security update for lenny yet, perhaps you're thinking etch? Yes, I seem to have confused this. You are right that we should do an update for a point release of lenny though to address a minor information disclosure vulnerability[1], plus some other non-security related bugs. However, I'd like to avoid upgrading to a newer 1.4.x release but backport changes instead; we used to heavily patch our sources and changing the upstream release is prone to errors. Fine with me. As for etch, the current version should be affected by multiple vulnerabilities (information disclosure *and* remote DoS) and I'm currently unable to properly take care of them and test it. Unless a comaintainer steps up (please people, do!) I'd more inclined to suggest a premature end of security support (are there precedents for this?) We can do that, yes. The are some precedents, like rails or Mozilla. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
On Sat, Aug 01, 2009 at 10:57:33AM +0200, Giuseppe Iuculano wrote: Package: asterisk Version: 1:1.6.2.0~dfsg~beta3-1 Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for asterisk. CVE-2009-2651[0]: | main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote | attackers to cause a denial of service (crash) via an RTP text frame | without a certain delimiter, which triggers a NULL pointer dereference | and the subsequent calculation of an invalid pointer. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651 http://security-tracker.debian.net/tracker/CVE-2009-2651 http://downloads.asterisk.org/pub/security/AST-2009-004.html Patch: http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt Asterisk maintainers, what should be done about stable? Would it make sense to update the stable version to 1.4.26.2 in a point update? (IIRC there's still a performance regression affecting Lenny from a previous security update?) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Hi, Moritz Muehlenhoff wrote: Asterisk maintainers, what should be done about stable? Would it make sense to update the stable version to 1.4.26.2 in a point update? (IIRC there's still a performance regression affecting Lenny from a previous security update?) This particular vulnerability does not affect lenny/1.4. There hasn't been a security update for lenny yet, perhaps you're thinking etch? You are right that we should do an update for a point release of lenny though to address a minor information disclosure vulnerability[1], plus some other non-security related bugs. However, I'd like to avoid upgrading to a newer 1.4.x release but backport changes instead; we used to heavily patch our sources and changing the upstream release is prone to errors. As for etch, the current version should be affected by multiple vulnerabilities (information disclosure *and* remote DoS) and I'm currently unable to properly take care of them and test it. Unless a comaintainer steps up (please people, do!) I'd more inclined to suggest a premature end of security support (are there precedents for this?) Thanks, Faidon 1: http://downloads.asterisk.org/pub/security/AST-2009-001.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Package: asterisk Version: 1:1.6.2.0~dfsg~beta3-1 Severity: serious Tags: security patch -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities Exposures) id was published for asterisk. CVE-2009-2651[0]: | main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote | attackers to cause a denial of service (crash) via an RTP text frame | without a certain delimiter, which triggers a NULL pointer dereference | and the subsequent calculation of an invalid pointer. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651 http://security-tracker.debian.net/tracker/CVE-2009-2651 http://downloads.asterisk.org/pub/security/AST-2009-004.html Patch: http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkp0A3oACgkQNxpp46476arl4ACdH0o5O/dZ4iQfOEEeMIWrKGVa zEMAnjHCiRqFue+b7dRArjbCINLwLTXJ =plQS -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org