Outstanding security fixes in asterisk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
asterisk (Debian) |
Fix Released
|
Unknown
|
|||
asterisk (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
(Tracking some collaborative work with persia)
A review of RC bugs from Debian shows 4 CVEs fixed in the latest Debian release. This includes 2 CVEs fixed in an upstream (bug-fix level) release, and 2 fixed in Debian. Update: this Debian release has now been merged to quantal, see LP: #1022360
The patch for AST-2012-012 (CVE-2012-4737) from Debian 1:1.8.13.1~dfsg-1 does not apply cleanly to precise package 1:1.8.10.
Fixes for the other 3 CVEs have been cherrypicked to precise asterisk package:
[Impact]
DoS exploits for voice mail and re-invite transactions, ACL bypass for IAX2 peer calls.
[Test Cases]
Steps to reproduce each issue provided in upstream bug reports:
https:/
https:/
https:/
Testers will need to install both 'asterisk' and 'asterisk-
[Regression Potential]
Minimal, no known regressions in asterisk issue tracker or Debian BTS.
Also recommend 1:1.8.13.
It is unlikely that cherrypicked patches for precise will apply cleanly to oneiric, given the code drift between 1.8.4 and 1.8.10. All CVEs affect only 1.8.x series of asterisk, so no work is needed for releases earlier than oneiric.
Related branches
description: | updated |
description: | updated |
Changed in asterisk (Ubuntu Quantal): | |
status: | New → Fix Released |
Changed in asterisk (Debian): | |
status: | Unknown → Fix Released |
Hey, i believe these are fixed in Quantal.. but Precise should be nominated?