Bug#704114: marked as done (asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003)

Sat, 06 Apr 2013 05:51:38 -0700 

Your message dated Sat, 06 Apr 2013 12:47:55 +0000
with message-id <e1uosxd-00074z...@franck.debian.org>
and subject line Bug#704114: fixed in asterisk 1:1.8.13.1~dfsg-2
has caused the Debian Bug report #704114,
regarding asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / 
AST-2013-003
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
704114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704114
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: asterisk
Severity: grave
Tags: security patch upstream

Hi,

the following vulnerabilities were published for asterisk.

CVE-2013-2685[0]:
Buffer Overflow Exploit Through SIP SDP Header

CVE-2013-2686[1]:
Denial of Service in HTTP server

CVE-2013-2264[2]:
Username disclosure in SIP channel driver

For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
doublecheck that squeeze, testing and wheezy are not affected?

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-2685
    http://downloads.asterisk.org/pub/security/AST-2013-001.html
[1] http://security-tracker.debian.org/tracker/CVE-2013-2686
    http://downloads.asterisk.org/pub/security/AST-2013-002.html
[2] http://security-tracker.debian.org/tracker/CVE-2013-2264
    http://downloads.asterisk.org/pub/security/AST-2013-003.html
[3] https://issues.asterisk.org/jira/browse/ASTERISK-20901

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: asterisk
Source-Version: 1:1.8.13.1~dfsg-2

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzaf...@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Apr 2013 14:15:41 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-voicemail 
asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 
asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev 
asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.13.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzaf...@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the 
Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the 
Asterisk PBX
Closes: 545272 614786 697230 701505 704114
Changes: 
 asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
 .
   * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
     - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
       allocations when using TCP.
       The following two fixes were also pulled in order to easily apply it:
       - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
       - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
     - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
       Exploitation of Device State Caching
   * Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505).
   * README.Debian: document running the testsuite.
   * Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
   * Patches backported from Asterisk 1.8.20.2 (Closes: #704114):
     - Patch AST-2013-002 (CVE-2012-2686): Prevent DoS in HTTP server with
       a large POST.
     - Patch AST-2013-003 (CVE-2012-2264): Prevent username disclosure in
       SIP channel driver.
   * Patch bluetooth_bind - fix breakage of chan_mobile (Closes: #614786).
Checksums-Sha1: 
 44deeaec180e8ea1a8b5fadcb437b47f8e0a9210 2997 asterisk_1.8.13.1~dfsg-2.dsc
 47bf9b69eda991176312c44e547e18535e3d289f 383725 
asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 682838a4acda2dd6ac6815a1e0e10dbbdf14a773 1990642 
asterisk-doc_1.8.13.1~dfsg-2_all.deb
 ecdd8185947fad10b842c43808f712fa10fb4147 958432 
asterisk-dev_1.8.13.1~dfsg-2_all.deb
 8fa7dff25ed7098053ad52bb7c4816a20af44a58 999336 
asterisk-config_1.8.13.1~dfsg-2_all.deb
 e0d01dfea3849b2231f4be962cd24d413d36a694 1773024 
asterisk_1.8.13.1~dfsg-2_amd64.deb
 2fc7e7b14e54911abafe25b88a96846b7157a3ad 2835034 
asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 ad62ed168388d782add5a9a22b20c56572a326eb 924448 
asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 1402f4b7688da5eb8edb8632ff5013f9252ec365 693284 
asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 9ea2cc9639f3344f6af7745d9aec8cdf82025a1b 710612 
asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 42b7a0cd5d37eb16d02e2c60619b4f78428f4aeb 699496 
asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 1e2492cd001cc8bb145bf21ce4e3d9c5aa5e61d0 1037736 
asterisk-ooh323_1.8.13.1~dfsg-2_amd64.deb
 5b6d842fce8c1a512091cf89e28262a9d70c544e 632852 
asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 8e0bfa80bd7efa3e538d417da9349db2cac49c59 658036 
asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 55e6eb43719cfc7e398d16818f80d4d9f7ddbe80 646350 
asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 4bc9e9f3b1e262b4a18b1e9132ca8b9794378641 30063412 
asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Checksums-Sha256: 
 89849cdc7dbfe6a58641d00f47451d8b14b33323d11869cffaf353cff7c3d324 2997 
asterisk_1.8.13.1~dfsg-2.dsc
 164fa8209cf09ca0d55ccff68ca5c0106925fb859778e4cdb8c11db70ded35a4 383725 
asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 65fff2025ff9f2ca54ff831138f5fffc37c6468f718358b99694d350d384dd1d 1990642 
asterisk-doc_1.8.13.1~dfsg-2_all.deb
 6973b0577ae30a7eb5fe06ef203011cd559f4e4b523549663c36122af1a0a3d5 958432 
asterisk-dev_1.8.13.1~dfsg-2_all.deb
 2f0610a11d5cde2fc2a2250009040f7d2235d233ee0165cdda387ea9e1d09692 999336 
asterisk-config_1.8.13.1~dfsg-2_all.deb
 2f0ae2081b1274aa63393fdde89c263885938da012cecb719e583f903c2fff95 1773024 
asterisk_1.8.13.1~dfsg-2_amd64.deb
 15807f0011a6eaa52247e62cf7f53db2a0ebaae9ad036c5c326e587276d3bf2f 2835034 
asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 455b97dc22c5d1115e7f48a29f7682b71f52099c514df0f75944b1e86dfdae00 924448 
asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 729a9596ca446331d110aaf7abf20990e788ed5d0de7692af10b756432f2a7d8 693284 
asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 d26a732649fcb6977fb678741335ee58c7d2cf82ce5c7e6708a174ccb86a144e 710612 
asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 5a15ec459ef6c20a4a1ed87d1aff9f2ba43c60f750499f70518344c111a1d70c 699496 
asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 eccce382fd00fb608609fa9a2060f870348c99fb73f35766a3f67523ac16e65b 1037736 
asterisk-ooh323_1.8.13.1~dfsg-2_amd64.deb
 562d61c503610bcb0c68d1bdf8728ae448ef2c9c2a6665c5b7ce0a3773c15474 632852 
asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 e83d2c9aced0eef64dd9cb29d5104dd8bd88c9617e484bc4a6fedec47b99ea34 658036 
asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 1438f69b175baf1960ba7e8c8a2fe8453982d497f00197458a309ffd4f44c050 646350 
asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 88d736ece78908ab1788b4c6e21ec35417bdfb9b1c285c56fd93b2a2223adb72 30063412 
asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Files: 
 6417f1680400a558fc88d1fe3489a158 2997 comm optional 
asterisk_1.8.13.1~dfsg-2.dsc
 e3e59cb57da45bfa59bd9d44e87fd8f9 383725 comm optional 
asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 6621a43552c9007fe39a9d64f36e009e 1990642 doc extra 
asterisk-doc_1.8.13.1~dfsg-2_all.deb
 012ea04e3c90958b57f4f2af077a8e69 958432 devel extra 
asterisk-dev_1.8.13.1~dfsg-2_all.deb
 f335f94a1cce11392816b7984a455d6a 999336 comm optional 
asterisk-config_1.8.13.1~dfsg-2_all.deb
 e924e3d1ab119404299ef1626e5d9454 1773024 comm optional 
asterisk_1.8.13.1~dfsg-2_amd64.deb
 12ba4a5c0535905238d6e4b8da6ad666 2835034 libs optional 
asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 ba55a3695011d6e53eb6a8cc15ea5402 924448 comm optional 
asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 8946a745e196176c5991ac6249141427 693284 comm optional 
asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 86992f9a500b3c59ae923a95f0683590 710612 comm optional 
asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 705ced4dc7b61c1a74577ff9ec1a8b3d 699496 comm optional 
asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 0ef84fe24f2c13ba539b59c6dbe9546b 1037736 comm optional 
asterisk-ooh323_1.8.13.1~dfsg-2_amd64.deb
 29a7c7638b4f0d8a017c9dbf79f6c34f 632852 comm optional 
asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 2273410dc983bcaac8506b64d6412b0d 658036 comm optional 
asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 65ac1a8e20069544dbc588b523777c38 646350 comm optional 
asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 9747dd54d35010cae24da3bab606187c 30063412 debug extra 
asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFgEIoACgkQxArWdkN9MoskNQCeKhYqVSoK9vwajzANRV322clg
dw0AoK3CX1VlQjzsJQ54lReRt6awxnyE
=pWhD
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to