On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote: > Package: asterisk > Version: 1:1.6.2.9-2+squeeze4 > Severity: grave > Tags: security squeeze > Justification: user security hole > > Per: > > http://downloads.asterisk.org/pub/security/AST-2012-002.txt > > the asterisk in squeeze is vulnerable to a buffer overflow.
Security team: the tracker says not-affected (Vulnerable code not present); this seems not to be the case but the default configuration protects from this vulnerability. I will take it on as a no-dsa if you wish. John: on that basis, do you agree the severity should be reduced (probably to important)? > The package in testing may also be vulnerable to: > > http://downloads.asterisk.org/pub/security/AST-2012-003.txt Currently it is. I have suggested to the release team that they age the version in sid to get the fix into testing. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 <directhex> i have six years of solaris sysadmin experience, from 8->10. i am well qualified to say it is made from bonghits layered on top of bonghits
signature.asc
Description: Digital signature