169616 2007-03-06 13:43 0000 net-misc/asterisk: SIP DoS vulnerability (CVE-2007-1306) 2007-03-17 06:51:34 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://asterisk.org/node/48319 B3 [glsa] jaervosz P2 minor --- 1 chainsaw@gentoo.org security@gentoo.org bernd@linx.net rajiv@gentoo.org voip@gentoo.org chainsaw@gentoo.org 2007-03-06 13:43:47 0000 "This release contains a number of bug fixes, including a fix for a recently discovered security vulnerability. All Asterisk 1.2 users are urged to update to this release as soon as possible." Similar story for the asterisk 1.4 branch, please update to 1.4.1 there. vorlon@gentoo.org 2007-03-06 14:17:22 0000 stkn/voip-herd, please provide an updated ebuild rajiv@gentoo.org 2007-03-06 16:58:36 0000 asterisk 1.0.12 is also vulnerable but not supported upstream. i will patch in our cvs shortly. jaervosz@gentoo.org 2007-03-06 22:58:10 0000 *** Bug 169681 has been marked as a duplicate of this bug. *** rajiv@gentoo.org 2007-03-09 20:30:03 0000 net-misc/asterisk-1.0.12-r1 with ported patch in cvs as ~x86 and ~ppc. x86 team: please test and mark stable (or drop me an email and i will do it). older 1.0.12 version is ~ppc also so nothing to be done there. fyi, vulnerability notice: http://labs.musecurity.com/advisories/MU-200703-01.txt falco@gentoo.org 2007-03-09 21:14:29 0000 Just as a reminder, 1.2.* needs to be fixed too Secunia says 1.2.16 fixes that vulnerability Secunia: http://secunia.com/advisories/24380/ armin76@gentoo.org 2007-03-10 14:13:05 0000 rajiv, please bump 1.2.* too, so we can stabilize both. gustavoz@gentoo.org 2007-03-12 19:12:34 0000 Rajiv just handles the 1.0 branch. I can handle 1.2 but i'm waiting for a newer upstream (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't 1.2.16-friendly. Otherwise we could just try to patch the offending code in asterisk and do a revbump. fauli@gentoo.org 2007-03-12 19:29:19 0000 (In reply to comment #7) > Rajiv just handles the 1.0 branch. > I can handle 1.2 but i'm waiting for a newer upstream > (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't > 1.2.16-friendly. > Otherwise we could just try to patch the offending code in asterisk and do a > revbump. Maybe the best solution if you can't tell how long the newer patch may take to be provided. jaervosz@gentoo.org 2007-03-12 20:34:55 0000 Debian appears to have a BRIstuff PRE-1x patch for 1.2.16 if it's any help. Otherwise just a simple patch similar to the one for 1.0 branch would be fine. rajiv@gentoo.org 2007-03-12 21:10:17 0000 fyi the original patch for 1.2.x and 1.4.x is available at http://svn.digium.com/view/asterisk?rev=57478&view=rev gustavoz@gentoo.org 2007-03-13 18:41:15 0000 Actually it's r57475 for asterisk-1.2 (r57478 is for 1.4). Committed in asterisk-1.2.14-r1. Will need =net-libs/libpri-1.2.4-r1 and =net-misc/zaptel-1.2.12-r1 stable with this too to match BRIstuff. sparc stable btw. jaervosz@gentoo.org 2007-03-13 19:40:59 0000 Thanks Gustavo. x86 please test and mark stable: net-misc/asterisk-1.2.14-r1 net-libs/libpri-1.2.4-r1 net-misc/zaptel-1.2.12-r1 fauli@gentoo.org 2007-03-13 19:58:09 0000 (In reply to comment #12) > Thanks Gustavo. > > x86 please test and mark stable: > net-misc/asterisk-1.2.14-r1 > net-libs/libpri-1.2.4-r1 > net-misc/zaptel-1.2.12-r1 And 1.0.12-r1, too. Done. falco@gentoo.org 2007-03-15 22:10:44 0000 I vote yes for that VoIP platform for which disponibility is important. jaervosz@gentoo.org 2007-03-16 08:00:18 0000 Let's have a GLSA on this one. GLSA drafted and ready for review. falco@gentoo.org 2007-03-17 06:51:34 0000 GLSA 200703-14