[Bug 1048093] Re: Outstanding security fixes in asterisk
Allison Randal
allison at lohutok.net
Mon Sep 10 01:13:07 UTC 2012
** Description changed:
(Tracking some collaborative work with persia)
A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian
release. This includes 2 CVEs fixed in an upstream (bug-fix level)
release, and 2 fixed in Debian. Update: this Debian release has now been
merged to quantal, see LP: #1022360
- Applying these fixes to Precise SRU would require cherrypicking.
+ The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1
+ does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The
+ patch modifies code already changed by AST-2012-004 and other merged
+ changes from upstream 1.4 and 1.6 series (see r314628, r363141,
+ r364841). The change is too disruptive for inclusion in precise SRU, and
+ severity is only rated as "Minor".
- All CVEs affect only 1.8.x series of asterisk, so no work is needed for
- releases earlier than precise.
+
+ Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package:
+
+ [Impact]
+ DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls.
+
+ [Test Cases]
+ Steps to reproduce each issue provided in upstream bug reports:
+ https://issues.asterisk.org/jira/browse/ASTERISK-19992
+ https://issues.asterisk.org/jira/browse/ASTERISK-20052
+ https://issues.asterisk.org/jira/browse/ASTERISK-20186
+
+ Testers will need to install both 'asterisk' and 'asterisk-voicemail'
+ packages. A simple asterisk configuration is attached to the bug report.
+
+ [Regression Potential]
+ Minimal, no known regressions in asterisk issue tracker or Debian BTS.
+
+
+ Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from quantal). It includes some feature additions and many non-critical fixes (too many to SRU the whole package), sufficient for some users to prefer the more recent version.
+
+ It is unlikely that cherrypicked patches for precise will apply cleanly
+ to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs
+ affect only 1.8.x series of asterisk, so no work is needed for releases
+ earlier than oneiric.
** Attachment added: "Simplistic Asterisk config for SRU testers"
https://bugs.launchpad.net/debian/+source/asterisk/+bug/1048093/+attachment/3304538/+files/simple_asterisk_config.txt
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/1048093
Title:
Outstanding security fixes in asterisk
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1048093/+subscriptions
More information about the Ubuntu-server-bugs
mailing list