Your message dated Sat, 06 Apr 2013 12:47:55 +0000
with message-id <e1uosxd-00074z...@franck.debian.org>
and subject line Bug#704114: fixed in asterisk 1:1.8.13.1~dfsg-2
has caused the Debian Bug report #704114,
regarding asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 /
AST-2013-003
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
704114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: asterisk
Severity: grave
Tags: security patch upstream
Hi,
the following vulnerabilities were published for asterisk.
CVE-2013-2685[0]:
Buffer Overflow Exploit Through SIP SDP Header
CVE-2013-2686[1]:
Denial of Service in HTTP server
CVE-2013-2264[2]:
Username disclosure in SIP channel driver
For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
doublecheck that squeeze, testing and wheezy are not affected?
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2013-2685
http://downloads.asterisk.org/pub/security/AST-2013-001.html
[1] http://security-tracker.debian.org/tracker/CVE-2013-2686
http://downloads.asterisk.org/pub/security/AST-2013-002.html
[2] http://security-tracker.debian.org/tracker/CVE-2013-2264
http://downloads.asterisk.org/pub/security/AST-2013-003.html
[3] https://issues.asterisk.org/jira/browse/ASTERISK-20901
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:1.8.13.1~dfsg-2
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 704...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tzafrir Cohen <tzaf...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 06 Apr 2013 14:15:41 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-voicemail
asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323
asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev
asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.13.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzaf...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the
Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the
Asterisk PBX
Closes: 545272 614786 697230 701505 704114
Changes:
asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
.
* Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
- Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
allocations when using TCP.
The following two fixes were also pulled in order to easily apply it:
- Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
- Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
- Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
Exploitation of Device State Caching
* Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505).
* README.Debian: document running the testsuite.
* Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
* Patches backported from Asterisk 1.8.20.2 (Closes: #704114):
- Patch AST-2013-002 (CVE-2012-2686): Prevent DoS in HTTP server with
a large POST.
- Patch AST-2013-003 (CVE-2012-2264): Prevent username disclosure in
SIP channel driver.
* Patch bluetooth_bind - fix breakage of chan_mobile (Closes: #614786).
Checksums-Sha1:
44deeaec180e8ea1a8b5fadcb437b47f8e0a9210 2997 asterisk_1.8.13.1~dfsg-2.dsc
47bf9b69eda991176312c44e547e18535e3d289f 383725
asterisk_1.8.13.1~dfsg-2.debian.tar.gz
682838a4acda2dd6ac6815a1e0e10dbbdf14a773 1990642
asterisk-doc_1.8.13.1~dfsg-2_all.deb
ecdd8185947fad10b842c43808f712fa10fb4147 958432
asterisk-dev_1.8.13.1~dfsg-2_all.deb
8fa7dff25ed7098053ad52bb7c4816a20af44a58 999336
asterisk-config_1.8.13.1~dfsg-2_all.deb
e0d01dfea3849b2231f4be962cd24d413d36a694 1773024
asterisk_1.8.13.1~dfsg-2_amd64.deb
2fc7e7b14e54911abafe25b88a96846b7157a3ad 2835034
asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
ad62ed168388d782add5a9a22b20c56572a326eb 924448
asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
1402f4b7688da5eb8edb8632ff5013f9252ec365 693284
asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
9ea2cc9639f3344f6af7745d9aec8cdf82025a1b 710612
asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
42b7a0cd5d37eb16d02e2c60619b4f78428f4aeb 699496
asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
1e2492cd001cc8bb145bf21ce4e3d9c5aa5e61d0 1037736
asterisk-ooh323_1.8.13.1~dfsg-2_amd64.deb
5b6d842fce8c1a512091cf89e28262a9d70c544e 632852
asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
8e0bfa80bd7efa3e538d417da9349db2cac49c59 658036
asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
55e6eb43719cfc7e398d16818f80d4d9f7ddbe80 646350
asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
4bc9e9f3b1e262b4a18b1e9132ca8b9794378641 30063412
asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Checksums-Sha256:
89849cdc7dbfe6a58641d00f47451d8b14b33323d11869cffaf353cff7c3d324 2997
asterisk_1.8.13.1~dfsg-2.dsc
164fa8209cf09ca0d55ccff68ca5c0106925fb859778e4cdb8c11db70ded35a4 383725
asterisk_1.8.13.1~dfsg-2.debian.tar.gz
65fff2025ff9f2ca54ff831138f5fffc37c6468f718358b99694d350d384dd1d 1990642
asterisk-doc_1.8.13.1~dfsg-2_all.deb
6973b0577ae30a7eb5fe06ef203011cd559f4e4b523549663c36122af1a0a3d5 958432
asterisk-dev_1.8.13.1~dfsg-2_all.deb
2f0610a11d5cde2fc2a2250009040f7d2235d233ee0165cdda387ea9e1d09692 999336
asterisk-config_1.8.13.1~dfsg-2_all.deb
2f0ae2081b1274aa63393fdde89c263885938da012cecb719e583f903c2fff95 1773024
asterisk_1.8.13.1~dfsg-2_amd64.deb
15807f0011a6eaa52247e62cf7f53db2a0ebaae9ad036c5c326e587276d3bf2f 2835034
asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
455b97dc22c5d1115e7f48a29f7682b71f52099c514df0f75944b1e86dfdae00 924448
asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
729a9596ca446331d110aaf7abf20990e788ed5d0de7692af10b756432f2a7d8 693284
asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
d26a732649fcb6977fb678741335ee58c7d2cf82ce5c7e6708a174ccb86a144e 710612
asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
5a15ec459ef6c20a4a1ed87d1aff9f2ba43c60f750499f70518344c111a1d70c 699496
asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
eccce382fd00fb608609fa9a2060f870348c99fb73f35766a3f67523ac16e65b 1037736
asterisk-ooh323_1.8.13.1~dfsg-2_amd64.deb
562d61c503610bcb0c68d1bdf8728ae448ef2c9c2a6665c5b7ce0a3773c15474 632852
asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
e83d2c9aced0eef64dd9cb29d5104dd8bd88c9617e484bc4a6fedec47b99ea34 658036
asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
1438f69b175baf1960ba7e8c8a2fe8453982d497f00197458a309ffd4f44c050 646350
asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
88d736ece78908ab1788b4c6e21ec35417bdfb9b1c285c56fd93b2a2223adb72 30063412
asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Files:
6417f1680400a558fc88d1fe3489a158 2997 comm optional
asterisk_1.8.13.1~dfsg-2.dsc
e3e59cb57da45bfa59bd9d44e87fd8f9 383725 comm optional
asterisk_1.8.13.1~dfsg-2.debian.tar.gz
6621a43552c9007fe39a9d64f36e009e 1990642 doc extra
asterisk-doc_1.8.13.1~dfsg-2_all.deb
012ea04e3c90958b57f4f2af077a8e69 958432 devel extra
asterisk-dev_1.8.13.1~dfsg-2_all.deb
f335f94a1cce11392816b7984a455d6a 999336 comm optional
asterisk-config_1.8.13.1~dfsg-2_all.deb
e924e3d1ab119404299ef1626e5d9454 1773024 comm optional
asterisk_1.8.13.1~dfsg-2_amd64.deb
12ba4a5c0535905238d6e4b8da6ad666 2835034 libs optional
asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
ba55a3695011d6e53eb6a8cc15ea5402 924448 comm optional
asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
8946a745e196176c5991ac6249141427 693284 comm optional
asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
86992f9a500b3c59ae923a95f0683590 710612 comm optional
asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
705ced4dc7b61c1a74577ff9ec1a8b3d 699496 comm optional
asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
0ef84fe24f2c13ba539b59c6dbe9546b 1037736 comm optional
asterisk-ooh323_1.8.13.1~dfsg-2_amd64.deb
29a7c7638b4f0d8a017c9dbf79f6c34f 632852 comm optional
asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
2273410dc983bcaac8506b64d6412b0d 658036 comm optional
asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
65ac1a8e20069544dbc588b523777c38 646350 comm optional
asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
9747dd54d35010cae24da3bab606187c 30063412 debug extra
asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlFgEIoACgkQxArWdkN9MoskNQCeKhYqVSoK9vwajzANRV322clg
dw0AoK3CX1VlQjzsJQ54lReRt6awxnyE
=pWhD
-----END PGP SIGNATURE-----
--- End Message ---