Comment 4 for bug 345217

Thanks for your debdiff Brian! :) Here are some comments:

1. You have supplied two patches for CVE-2008-1897 (debian/patches/CVE-2008-1897 and debian/patches/asterisk-CVE-2008-1897). Please remove asterisk-CVE-2008-1897
2. CVE-2008-1897 seems to be missing parts of upstream's http://downloads.digium.com/pub/security/AST-2008-006.html (http://downloads.digium.com/pub/security/AST-2008-006.html). Was the patch misapplied? If not, can you explain why it isn't applied?
3. The debian/changelog description does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging. These guidelines are in place for clarity, so someone knows quickly what patch goes with which CVE and upstream references. Can you adjust so each patch has its own stanza?
4. The package uses quilt, which supports comments at the top of the patch. Specifically, the added patches in debian/patches should use UbuntuDevelopment/PatchTaggingGuidelines (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch)
5. Our tracker (see http://people.ubuntu.com/~ubuntu-security/cve/universe.html#universe) shows that hardy asterisk is also vulnerable to CVE-2008-3903, CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do updates for these as well?

I have marked the Hardy task back to 'Triaged' as per https://wiki.ubuntu.com/SecurityTeam/BugTriage#Status. Please mark back to 'In Progress' when resubmitting your patch. Thanks for your time in preparing these. Asterisk needs some love! :)