Thanks Jamie, On Tue, Apr 28, 2009 at 5:29 PM, Jamie Strandboge <ja...@ubuntu.com> wrote:
> Thanks for your debdiff Brian! :) Here are some comments: > > 1. You have supplied two patches for CVE-2008-1897 > (debian/patches/CVE-2008-1897 and debian/patches/asterisk-CVE-2008-1897). > Please remove asterisk-CVE-2008-1897 Bah! I didn't even see that, sorry. That was left over from some earlier quilt tinkering. Will remove it straight away. > > 2. CVE-2008-1897 seems to be missing parts of upstream's > http://downloads.digium.com/pub/security/AST-2008-006.html ( > http://downloads.digium.com/pub/security/AST-2008-006.html). Was the patch > misapplied? If not, can you explain why it isn't applied? It's been so long I'm not sure. I'll do this one from scratch again. > > 3. The debian/changelog description does not conform to > https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging. > These guidelines are in place for clarity, so someone knows quickly what > patch goes with which CVE and upstream references. Can you adjust so each > patch has its own stanza? OK > > 4. The package uses quilt, which supports comments at the top of the patch. > Specifically, the added patches in debian/patches should use > UbuntuDevelopment/PatchTaggingGuidelines (see > https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch) OK > > 5. Our tracker (see > http://people.ubuntu.com/~ubuntu-security/cve/universe.html#universe<http://people.ubuntu.com/%7Eubuntu-security/cve/universe.html#universe>) > shows that hardy asterisk is also vulnerable to CVE-2008-3903, > CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do > updates for these as well? > Off the top of my head, one of these upstream hadn't fixed at the time, a couple were basically duplicates, and I don't recall the other off the top of my head. Before resubmitting the debdiff, I'll also look these up again and comment in the bug. Yes, if they need attention, I fully plan on handling them as well. I'll also resubmit with the intrepid patch next time. Thanks as always for your patience as I get accustomed to these processes Jamie! -Brian -- Fix vulnerabilities in channels/chan_ia2x.c https://bugs.launchpad.net/bugs/345217 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
