[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-10 Thread Bug Watch Updater
** Changed in: asterisk (Debian)
   Status: Unknown = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-09 Thread Allison Randal
** Description changed:

  (Tracking some collaborative work with persia)
  
  A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian
  release. This includes 2 CVEs fixed in an upstream (bug-fix level)
- release, and 2 fixed in Debian. Currently verifying that a merge is
- clean and minimal, for a possible FFe.
+ release, and 2 fixed in Debian. Update: this Debian release has now been
+ merged to quantal, see LP: #1022360
  
  Applying these fixes to Precise SRU would require cherrypicking.
  
- Unknown if these CVEs affect earlier Ubuntu releases also.
+ All CVEs affect only 1.8.x series of asterisk, so no work is needed for
+ releases earlier than precise.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-09 Thread Allison Randal
** Bug watch added: Debian Bug tracker #680470
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470

** Also affects: asterisk (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-09 Thread Dave Walker
Hey, i believe these are fixed in Quantal..  but Precise should be
nominated?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-09 Thread Allison Randal
** Description changed:

  (Tracking some collaborative work with persia)
  
  A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian
  release. This includes 2 CVEs fixed in an upstream (bug-fix level)
  release, and 2 fixed in Debian. Update: this Debian release has now been
  merged to quantal, see LP: #1022360
  
- Applying these fixes to Precise SRU would require cherrypicking.
+ The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1
+ does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The
+ patch modifies code already changed by AST-2012-004 and other merged
+ changes from upstream 1.4 and 1.6 series (see r314628, r363141,
+ r364841). The change is too disruptive for inclusion in precise SRU, and
+ severity is only rated as Minor.
  
- All CVEs affect only 1.8.x series of asterisk, so no work is needed for
- releases earlier than precise.
+ 
+ Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package:
+ 
+ [Impact]
+ DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 
peer calls.
+ 
+ [Test Cases]
+ Steps to reproduce each issue provided in upstream bug reports:
+ https://issues.asterisk.org/jira/browse/ASTERISK-19992
+ https://issues.asterisk.org/jira/browse/ASTERISK-20052
+ https://issues.asterisk.org/jira/browse/ASTERISK-20186
+ 
+ Testers will need to install both 'asterisk' and 'asterisk-voicemail'
+ packages. A simple asterisk configuration is attached to the bug report.
+ 
+ [Regression Potential]
+ Minimal, no known regressions in asterisk issue tracker or Debian BTS.
+ 
+ 
+ Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from 
quantal). It includes some feature additions and many non-critical fixes (too 
many to SRU the whole package), sufficient for some users to prefer the more 
recent version.
+ 
+ It is unlikely that cherrypicked patches for precise will apply cleanly
+ to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs
+ affect only 1.8.x series of asterisk, so no work is needed for releases
+ earlier than oneiric.

** Attachment added: Simplistic Asterisk config for SRU testers
   
https://bugs.launchpad.net/debian/+source/asterisk/+bug/1048093/+attachment/3304538/+files/simple_asterisk_config.txt

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-09 Thread Launchpad Bug Tracker
** Branch linked: lp:~allison/ubuntu/precise/asterisk/bug-1048093
-precise-sru

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-09 Thread Allison Randal
Yes, jtaylor made the quantal release last night.

I've linked in a branch with an SRU candidate for precise. Nominated for
precise.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-09 Thread Emmet Hikory
** Also affects: asterisk (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: asterisk (Ubuntu Quantal)
   Importance: Undecided
   Status: New

** Changed in: asterisk (Ubuntu Quantal)
   Status: New = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-08 Thread Allison Randal
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3863

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-2186

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4737

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs


[Bug 1048093] Re: Outstanding security fixes in asterisk

2012-09-08 Thread Allison Randal
** Description changed:

- Reviewing RC bugs from Debian shows 2 CVEs fixed in upstream bug-fix
- release 1.8.13.1, and 2 additional CVEs fixed in latest Debian release.
+ (Tracking some collaborative work with persia)
+ 
+ A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian
+ release. This includes 2 CVEs fixed in an upstream (bug-fix level)
+ release, and 2 fixed in Debian. Currently verifying that a merge is
+ clean and minimal, for a possible FFe.
+ 
+ Applying these fixes to Precise SRU would require cherrypicking.
+ 
+ Unknown if these CVEs affect earlier Ubuntu releases also.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3812

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093

Title:
  Outstanding security fixes in asterisk

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs