That is fine with me, Jonathan. I think you're right that the tracker
is wrong, but also we aren't shipping vulnerabilities by default.
-- John
On 04/02/2012 04:50 PM, Jonathan Wiltshire wrote:
On Mon, Apr 02, 2012 at 01:38:40PM -0500, John Goerzen wrote:
Package: asterisk
Version: 1:1.6.2.9-2+squeeze4
Severity: grave
Tags: security squeeze
Justification: user security hole
Per:
http://downloads.asterisk.org/pub/security/AST-2012-002.txt
the asterisk in squeeze is vulnerable to a buffer overflow.
Security team: the tracker says not-affected (Vulnerable code not present);
this seems not to be the case but the default configuration protects from
this vulnerability. I will take it on as a no-dsa if you wish.
John: on that basis, do you agree the severity should be reduced (probably
to important)?
The package in testing may also be vulnerable to:
http://downloads.asterisk.org/pub/security/AST-2012-003.txt
Currently it is. I have suggested to the release team that they age the
version in sid to get the fix into testing.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
