[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: (Tracking some collaborative work with persia) A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) - release, and 2 fixed in Debian. Currently verifying that a merge is - clean and minimal, for a possible FFe. + release, and 2 fixed in Debian. Update: this Debian release has now been + merged to quantal, see LP: #1022360 Applying these fixes to Precise SRU would require cherrypicking. - Unknown if these CVEs affect earlier Ubuntu releases also. + All CVEs affect only 1.8.x series of asterisk, so no work is needed for + releases earlier than precise. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Bug watch added: Debian Bug tracker #680470 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470 ** Also affects: asterisk (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: (Tracking some collaborative work with persia) A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360 - Applying these fixes to Precise SRU would require cherrypicking. + The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1 + does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The + patch modifies code already changed by AST-2012-004 and other merged + changes from upstream 1.4 and 1.6 series (see r314628, r363141, + r364841). The change is too disruptive for inclusion in precise SRU, and + severity is only rated as Minor. - All CVEs affect only 1.8.x series of asterisk, so no work is needed for - releases earlier than precise. + + Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package: + + [Impact] + DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls. + + [Test Cases] + Steps to reproduce each issue provided in upstream bug reports: + https://issues.asterisk.org/jira/browse/ASTERISK-19992 + https://issues.asterisk.org/jira/browse/ASTERISK-20052 + https://issues.asterisk.org/jira/browse/ASTERISK-20186 + + Testers will need to install both 'asterisk' and 'asterisk-voicemail' + packages. A simple asterisk configuration is attached to the bug report. + + [Regression Potential] + Minimal, no known regressions in asterisk issue tracker or Debian BTS. + + + Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from quantal). It includes some feature additions and many non-critical fixes (too many to SRU the whole package), sufficient for some users to prefer the more recent version. + + It is unlikely that cherrypicked patches for precise will apply cleanly + to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs + affect only 1.8.x series of asterisk, so no work is needed for releases + earlier than oneiric. ** Attachment added: Simplistic Asterisk config for SRU testers https://bugs.launchpad.net/debian/+source/asterisk/+bug/1048093/+attachment/3304538/+files/simple_asterisk_config.txt -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
Yes, jtaylor made the quantal release last night. I've linked in a branch with an SRU candidate for precise. Nominated for precise. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] [NEW] Outstanding security fixes in asterisk
Public bug reported: Reviewing RC bugs from Debian shows 2 CVEs fixed in upstream bug-fix release 1.8.13.1, and 2 additional CVEs fixed in latest Debian release. ** Affects: asterisk (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3863 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2186 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4737 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1048093] Re: Outstanding security fixes in asterisk
** Description changed: - Reviewing RC bugs from Debian shows 2 CVEs fixed in upstream bug-fix - release 1.8.13.1, and 2 additional CVEs fixed in latest Debian release. + (Tracking some collaborative work with persia) + + A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian + release. This includes 2 CVEs fixed in an upstream (bug-fix level) + release, and 2 fixed in Debian. Currently verifying that a merge is + clean and minimal, for a possible FFe. + + Applying these fixes to Precise SRU would require cherrypicking. + + Unknown if these CVEs affect earlier Ubuntu releases also. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3812 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1048093 Title: Outstanding security fixes in asterisk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 784252] Re: package backuppc 3.2.0-3ubuntu4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
It is a permissions problem. The quick manual fix for this is to change the user and group of the files /var/lib/backuppc/pc and /var/lib/backuppc/cpool to 'backuppc'. I'm working on a packaging fix. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to backuppc in Ubuntu. https://bugs.launchpad.net/bugs/784252 Title: package backuppc 3.2.0-3ubuntu4 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/backuppc/+bug/784252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 852484] Re: Merge backuppc 3.2.1-1 (main) from Debian unstable (main)
I've pushed a merged branch of backuppc 3.2.1-1ubuntu1 to lp:~allison/ubuntu/oneiric/backuppc/bug-852484. This is only a merge of the new upstream release containing security fixes, and does not fix any other bugs. (I'm working on those in different branches.) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to backuppc in Ubuntu. https://bugs.launchpad.net/bugs/852484 Title: Merge backuppc 3.2.1-1 (main) from Debian unstable (main) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/backuppc/+bug/852484/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 68729] Re: Loses all backups when disk is full
We're at 3.2.0 in Oneiric. Is there any indication that this bug still exists? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to backuppc in Ubuntu. https://bugs.launchpad.net/bugs/68729 Title: Loses all backups when disk is full To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/backuppc/+bug/68729/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 786250] [NEW] Remove dependency on perl-suid for Perl 5.12
*** This bug is a security vulnerability *** Public security bug reported: Binary package hint: backuppc The 5.12 release of Perl removes the suidperl binary, and therefore the perl_5.12.3-6ubuntu4 package no longer includes the perl-suid package. Oneiric will be migrating to Perl 5.12, and so all packages that depend on perl-suid must be updated to remove the dependency. The Perl 5 Porters (upstream core developers of Perl) recommend two alternative solutions to suidperl: sudo or a small C wrapper. BackupPC uses suidperl for a CGI script, which means it's not possible to substitute sudo. Fedora has applied a patch to use a C wrapper around the CGI script (https://bugzilla.redhat.com/show_bug.cgi?id=611009), and a similar patch has been submitted for Debian but not yet applied (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581950). I'll submit a branch of lp:ubuntu/backuppc applying this patch to the Ubuntu package. I'm requesting review of this solution by the Security Team, since it involves escalating privileges through a CGI script. ** Affects: backuppc (Ubuntu) Importance: Undecided Status: New ** Affects: backuppc (Debian) Importance: Unknown Status: Unknown ** Affects: backuppc (Fedora) Importance: Unknown Status: Unknown ** Tags: oneiric perl-5.12-transition ** Bug watch added: Debian Bug tracker #581950 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581950 ** Also affects: backuppc (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581950 Importance: Unknown Status: Unknown ** Bug watch added: Red Hat Bugzilla #611009 https://bugzilla.redhat.com/show_bug.cgi?id=611009 ** Also affects: backuppc (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=611009 Importance: Unknown Status: Unknown ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to backuppc in Ubuntu. https://bugs.launchpad.net/bugs/786250 Title: Remove dependency on perl-suid for Perl 5.12 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
