Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
"This release contains a number of bug fixes, including a fix for a recently discovered security vulnerability. All Asterisk 1.2 users are urged to update to this release as soon as possible." Similar story for the asterisk 1.4 branch, please update to 1.4.1 there.
stkn/voip-herd, please provide an updated ebuild
asterisk 1.0.12 is also vulnerable but not supported upstream. i will patch in our cvs shortly.
*** Bug 169681 has been marked as a duplicate of this bug. ***
net-misc/asterisk-1.0.12-r1 with ported patch in cvs as ~x86 and ~ppc. x86 team: please test and mark stable (or drop me an email and i will do it). older 1.0.12 version is ~ppc also so nothing to be done there. fyi, vulnerability notice: http://labs.musecurity.com/advisories/MU-200703-01.txt
Just as a reminder, 1.2.* needs to be fixed too Secunia says 1.2.16 fixes that vulnerability Secunia: http://secunia.com/advisories/24380/
rajiv, please bump 1.2.* too, so we can stabilize both.
Rajiv just handles the 1.0 branch. I can handle 1.2 but i'm waiting for a newer upstream (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't 1.2.16-friendly. Otherwise we could just try to patch the offending code in asterisk and do a revbump.
(In reply to comment #7) > Rajiv just handles the 1.0 branch. > I can handle 1.2 but i'm waiting for a newer upstream > (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't > 1.2.16-friendly. > Otherwise we could just try to patch the offending code in asterisk and do a > revbump. Maybe the best solution if you can't tell how long the newer patch may take to be provided.
Debian appears to have a BRIstuff PRE-1x patch for 1.2.16 if it's any help. Otherwise just a simple patch similar to the one for 1.0 branch would be fine.
fyi the original patch for 1.2.x and 1.4.x is available at http://svn.digium.com/view/asterisk?rev=57478&view=rev
Actually it's r57475 for asterisk-1.2 (r57478 is for 1.4). Committed in asterisk-1.2.14-r1. Will need =net-libs/libpri-1.2.4-r1 and =net-misc/zaptel-1.2.12-r1 stable with this too to match BRIstuff. sparc stable btw.
Thanks Gustavo. x86 please test and mark stable: net-misc/asterisk-1.2.14-r1 net-libs/libpri-1.2.4-r1 net-misc/zaptel-1.2.12-r1
(In reply to comment #12) > Thanks Gustavo. > > x86 please test and mark stable: > net-misc/asterisk-1.2.14-r1 > net-libs/libpri-1.2.4-r1 > net-misc/zaptel-1.2.12-r1 And 1.0.12-r1, too. Done.
I vote yes for that VoIP platform for which disponibility is important.
Let's have a GLSA on this one. GLSA drafted and ready for review.
GLSA 200703-14
