[Bug 1048093] Re: Outstanding security fixes in asterisk
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: asterisk (Ubuntu Precise) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Changed in: asterisk (Debian) Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Changed in: asterisk (Debian) Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: (Tracking some collaborative work with persia) A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) - release, and 2 fixed in Debian. Currently verifying that a merge is - clean and minimal, for a possible FFe. + release, and 2 fixed in Debian. Update: this Debian release has now been + merged to quantal, see LP: #1022360 Applying these fixes to Precise SRU would require cherrypicking. - Unknown if these CVEs affect earlier Ubuntu releases also. + All CVEs affect only 1.8.x series of asterisk, so no work is needed for + releases earlier than precise. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Bug watch added: Debian Bug tracker #680470 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470 ** Also affects: asterisk (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
Hey, i believe these are fixed in Quantal.. but Precise should be nominated? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: (Tracking some collaborative work with persia) A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360 - Applying these fixes to Precise SRU would require cherrypicking. + The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1 + does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The + patch modifies code already changed by AST-2012-004 and other merged + changes from upstream 1.4 and 1.6 series (see r314628, r363141, + r364841). The change is too disruptive for inclusion in precise SRU, and + severity is only rated as Minor. - All CVEs affect only 1.8.x series of asterisk, so no work is needed for - releases earlier than precise. + + Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package: + + [Impact] + DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls. + + [Test Cases] + Steps to reproduce each issue provided in upstream bug reports: + https://issues.asterisk.org/jira/browse/ASTERISK-19992 + https://issues.asterisk.org/jira/browse/ASTERISK-20052 + https://issues.asterisk.org/jira/browse/ASTERISK-20186 + + Testers will need to install both 'asterisk' and 'asterisk-voicemail' + packages. A simple asterisk configuration is attached to the bug report. + + [Regression Potential] + Minimal, no known regressions in asterisk issue tracker or Debian BTS. + + + Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from quantal). It includes some feature additions and many non-critical fixes (too many to SRU the whole package), sufficient for some users to prefer the more recent version. + + It is unlikely that cherrypicked patches for precise will apply cleanly + to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs + affect only 1.8.x series of asterisk, so no work is needed for releases + earlier than oneiric. ** Attachment added: Simplistic Asterisk config for SRU testers https://bugs.launchpad.net/debian/+source/asterisk/+bug/1048093/+attachment/3304538/+files/simple_asterisk_config.txt -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Branch linked: lp:~allison/ubuntu/precise/asterisk/bug-1048093 -precise-sru -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
Yes, jtaylor made the quantal release last night. I've linked in a branch with an SRU candidate for precise. Nominated for precise. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Also affects: asterisk (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: asterisk (Ubuntu Quantal) Importance: Undecided Status: New ** Changed in: asterisk (Ubuntu Quantal) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: (Tracking some collaborative work with persia) A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) - release, and 2 fixed in Debian. Currently verifying that a merge is - clean and minimal, for a possible FFe. + release, and 2 fixed in Debian. Update: this Debian release has now been + merged to quantal, see LP: #1022360 Applying these fixes to Precise SRU would require cherrypicking. - Unknown if these CVEs affect earlier Ubuntu releases also. + All CVEs affect only 1.8.x series of asterisk, so no work is needed for + releases earlier than precise. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Bug watch added: Debian Bug tracker #680470 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470 ** Also affects: asterisk (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
Hey, i believe these are fixed in Quantal.. but Precise should be nominated? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: (Tracking some collaborative work with persia) A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360 - Applying these fixes to Precise SRU would require cherrypicking. + The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1 + does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The + patch modifies code already changed by AST-2012-004 and other merged + changes from upstream 1.4 and 1.6 series (see r314628, r363141, + r364841). The change is too disruptive for inclusion in precise SRU, and + severity is only rated as Minor. - All CVEs affect only 1.8.x series of asterisk, so no work is needed for - releases earlier than precise. + + Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package: + + [Impact] + DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls. + + [Test Cases] + Steps to reproduce each issue provided in upstream bug reports: + https://issues.asterisk.org/jira/browse/ASTERISK-19992 + https://issues.asterisk.org/jira/browse/ASTERISK-20052 + https://issues.asterisk.org/jira/browse/ASTERISK-20186 + + Testers will need to install both 'asterisk' and 'asterisk-voicemail' + packages. A simple asterisk configuration is attached to the bug report. + + [Regression Potential] + Minimal, no known regressions in asterisk issue tracker or Debian BTS. + + + Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from quantal). It includes some feature additions and many non-critical fixes (too many to SRU the whole package), sufficient for some users to prefer the more recent version. + + It is unlikely that cherrypicked patches for precise will apply cleanly + to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs + affect only 1.8.x series of asterisk, so no work is needed for releases + earlier than oneiric. ** Attachment added: Simplistic Asterisk config for SRU testers https://bugs.launchpad.net/debian/+source/asterisk/+bug/1048093/+attachment/3304538/+files/simple_asterisk_config.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Branch linked: lp:~allison/ubuntu/precise/asterisk/bug-1048093 -precise-sru -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
Yes, jtaylor made the quantal release last night. I've linked in a branch with an SRU candidate for precise. Nominated for precise. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Also affects: asterisk (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: asterisk (Ubuntu Quantal) Importance: Undecided Status: New ** Changed in: asterisk (Ubuntu Quantal) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3863 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2186 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4737 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: - Reviewing RC bugs from Debian shows 2 CVEs fixed in upstream bug-fix - release 1.8.13.1, and 2 additional CVEs fixed in latest Debian release. + (Tracking some collaborative work with persia) + + A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian + release. This includes 2 CVEs fixed in an upstream (bug-fix level) + release, and 2 fixed in Debian. Currently verifying that a merge is + clean and minimal, for a possible FFe. + + Applying these fixes to Precise SRU would require cherrypicking. + + Unknown if these CVEs affect earlier Ubuntu releases also. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3812 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3863 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2186 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4737 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: - Reviewing RC bugs from Debian shows 2 CVEs fixed in upstream bug-fix - release 1.8.13.1, and 2 additional CVEs fixed in latest Debian release. + (Tracking some collaborative work with persia) + + A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian + release. This includes 2 CVEs fixed in an upstream (bug-fix level) + release, and 2 fixed in Debian. Currently verifying that a merge is + clean and minimal, for a possible FFe. + + Applying these fixes to Precise SRU would require cherrypicking. + + Unknown if these CVEs affect earlier Ubuntu releases also. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3812 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs