On Mon, Apr 02, 2012 at 10:50:07PM +0100, Jonathan Wiltshire wrote: > On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote: > > Package: asterisk > > Version: 1:1.6.2.9-2+squeeze4 > > Severity: grave > > Tags: security squeeze > > Justification: user security hole > > > > Per: > > > > http://downloads.asterisk.org/pub/security/AST-2012-002.txt > > > > the asterisk in squeeze is vulnerable to a buffer overflow. > > Security team: the tracker says not-affected (Vulnerable code not present); > this seems not to be the case but the default configuration protects from > this vulnerability. I will take it on as a no-dsa if you wish. > > John: on that basis, do you agree the severity should be reduced (probably > to important)?
The default configuration is not too big a considiration with the Asterisk dialplan. That said, the said dialplan application is also not commonly used. The Squeeze branch in the SVN includes the fix. As well as, ahem, the patch for #651552 which was accidentally left out of the previous upload. No idea how I failed to notice that. http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/squeeze/ > > > > The package in testing may also be vulnerable to: > > > > http://downloads.asterisk.org/pub/security/AST-2012-003.txt > > Currently it is. I have suggested to the release team that they age the > version in sid to get the fix into testing. Not applicable to Squeeze: the code in question is new to 1.8 (and not backported in any patch we carry). -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
