[Bug 345217] Re: Fix vulnerabilities in channels/chan_ia2x.c
Jamie Strandboge
jamie at ubuntu.com
Tue Apr 28 21:29:51 UTC 2009
Thanks for your debdiff Brian! :) Here are some comments:
1. You have supplied two patches for CVE-2008-1897 (debian/patches/CVE-2008-1897 and debian/patches/asterisk-CVE-2008-1897). Please remove asterisk-CVE-2008-1897
2. CVE-2008-1897 seems to be missing parts of upstream's http://downloads.digium.com/pub/security/AST-2008-006.html (http://downloads.digium.com/pub/security/AST-2008-006.html). Was the patch misapplied? If not, can you explain why it isn't applied?
3. The debian/changelog description does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging. These guidelines are in place for clarity, so someone knows quickly what patch goes with which CVE and upstream references. Can you adjust so each patch has its own stanza?
4. The package uses quilt, which supports comments at the top of the patch. Specifically, the added patches in debian/patches should use UbuntuDevelopment/PatchTaggingGuidelines (see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Patch)
5. Our tracker (see http://people.ubuntu.com/~ubuntu-security/cve/universe.html#universe) shows that hardy asterisk is also vulnerable to CVE-2008-3903, CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do updates for these as well?
I have marked the Hardy task back to 'Triaged' as per
https://wiki.ubuntu.com/SecurityTeam/BugTriage#Status. Please mark back
to 'In Progress' when resubmitting your patch. Thanks for your time in
preparing these. Asterisk needs some love! :)
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1390
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1923
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3903
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-0871
** Changed in: asterisk (Ubuntu Hardy)
Status: In Progress => Triaged
--
Fix vulnerabilities in channels/chan_ia2x.c
https://bugs.launchpad.net/bugs/345217
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list