2012-09-09 03:13:27 |
Allison Randal |
bug |
|
|
added bug |
2012-09-09 03:26:01 |
Allison Randal |
nominated for series |
|
Ubuntu Quantal |
|
2012-09-09 03:52:17 |
Allison Randal |
cve linked |
|
2012-3863 |
|
2012-09-09 03:54:16 |
Allison Randal |
cve linked |
|
2012-2186 |
|
2012-09-09 03:54:39 |
Allison Randal |
cve linked |
|
2012-4737 |
|
2012-09-09 05:39:33 |
Allison Randal |
description |
Reviewing RC bugs from Debian shows 2 CVEs fixed in upstream bug-fix release 1.8.13.1, and 2 additional CVEs fixed in latest Debian release. |
(Tracking some collaborative work with persia)
A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Currently verifying that a merge is clean and minimal, for a possible FFe.
Applying these fixes to Precise SRU would require cherrypicking.
Unknown if these CVEs affect earlier Ubuntu releases also. |
|
2012-09-09 05:43:35 |
Allison Randal |
cve linked |
|
2012-3812 |
|
2012-09-09 15:28:27 |
Allison Randal |
description |
(Tracking some collaborative work with persia)
A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Currently verifying that a merge is clean and minimal, for a possible FFe.
Applying these fixes to Precise SRU would require cherrypicking.
Unknown if these CVEs affect earlier Ubuntu releases also. |
(Tracking some collaborative work with persia)
A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360
Applying these fixes to Precise SRU would require cherrypicking.
All CVEs affect only 1.8.x series of asterisk, so no work is needed for releases earlier than precise. |
|
2012-09-09 19:10:20 |
Allison Randal |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680470 |
|
2012-09-09 19:10:20 |
Allison Randal |
bug task added |
|
asterisk (Debian) |
|
2012-09-10 01:11:54 |
Allison Randal |
description |
(Tracking some collaborative work with persia)
A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360
Applying these fixes to Precise SRU would require cherrypicking.
All CVEs affect only 1.8.x series of asterisk, so no work is needed for releases earlier than precise. |
(Tracking some collaborative work with persia)
A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360
The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1 does not apply cleanly to precise package 1:1.8.10.1~dfsg-1ubuntu1. The patch modifies code already changed by AST-2012-004 and other merged changes from upstream 1.4 and 1.6 series (see r314628, r363141, r364841). The change is too disruptive for inclusion in precise SRU, and severity is only rated as "Minor".
Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package:
[Impact]
DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls.
[Test Cases]
Steps to reproduce each issue provided in upstream bug reports:
https://issues.asterisk.org/jira/browse/ASTERISK-19992
https://issues.asterisk.org/jira/browse/ASTERISK-20052
https://issues.asterisk.org/jira/browse/ASTERISK-20186
Testers will need to install both 'asterisk' and 'asterisk-voicemail' packages. A simple asterisk configuration is attached to the bug report.
[Regression Potential]
Minimal, no known regressions in asterisk issue tracker or Debian BTS.
Also recommend 1:1.8.13.1~dfsg-1ubuntu1 for possible precise Backport (from quantal). It includes some feature additions and many non-critical fixes (too many to SRU the whole package), sufficient for some users to prefer the more recent version.
It is unlikely that cherrypicked patches for precise will apply cleanly to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs affect only 1.8.x series of asterisk, so no work is needed for releases earlier than oneiric. |
|
2012-09-10 01:13:07 |
Allison Randal |
attachment added |
|
Simplistic Asterisk config for SRU testers https://bugs.launchpad.net/debian/+source/asterisk/+bug/1048093/+attachment/3304538/+files/simple_asterisk_config.txt |
|
2012-09-10 01:20:09 |
Launchpad Janitor |
branch linked |
|
lp:~allison/ubuntu/precise/asterisk/bug-1048093-precise-sru |
|
2012-09-10 01:30:02 |
Allison Randal |
bug |
|
|
added subscriber Julian Taylor |
2012-09-10 01:38:04 |
Allison Randal |
nominated for series |
|
Ubuntu Precise |
|
2012-09-10 01:41:32 |
Emmet Hikory |
bug task added |
|
asterisk (Ubuntu Precise) |
|
2012-09-10 01:42:02 |
Emmet Hikory |
bug task added |
|
asterisk (Ubuntu Quantal) |
|
2012-09-10 01:42:17 |
Emmet Hikory |
asterisk (Ubuntu Quantal): status |
New |
Fix Released |
|
2012-09-10 18:09:02 |
Bug Watch Updater |
asterisk (Debian): status |
Unknown |
Fix Released |
|
2021-10-14 01:39:58 |
Steve Langasek |
asterisk (Ubuntu Precise): status |
New |
Won't Fix |
|