[asterisk] several vulnerabilities

CVE-2008-1390 and CVE-2008-1289 also apply. I'm fixing these in Hardy now. Please don't report the same CVE twice, as it stuffs up tracking if it's already fixed in Hardy, when the rest of the CVEs aren't.

Also, please subscribe motu-swat to universe and multiverse security bugs in future, or we're not notified.

I've extracted patches for all but -1390 from 1.14.18.1.

-1390 is much less important, and a patch isn't readily available, so it can be tracked in a different bug.

Originally this bug report was intended mainly for CVE-2008-1332 and CVE-2008-1333, which I both added as CVE references. I only mentioned CVE-2007-6430 because it's in DSA-1525-1, but wrote that it's been handled in Bug#199118 and therefore didn't add a CVE reference to this bug report.

Also, I thought that Launchpad by itself adds MOTU to subscribers for packages from universe and multiverse? As far as I remeber it did so in the not so distant past (very sane feature).

Shh, don't mention ***-****-6430 again, as Launchpad seems to be very sensitive and decides to readd it every time it's mentioned, even if it has already been manually removed.

With regard to the implicit subscriptions: that has never been the case. The bugmail would be absolutely insane.

However, we're hoping that motu-swat will be automatically subscribed to universe/multiverse security bugs in the not too distant future. Until then, please manually subscribe us.

Ah yes, now that you've mentioned it, I've also sometimes stumbled on Launpad's automacially adding of CVEs in comments. Nice meant, but seemingly sometimes very insane feature ;-)

Okay, will keep in mind to manually add MOTU SWAT to related bug reports, though I'd bet something on it that I've seen MOTU having been added to "Also notified:" in the past. Weird.

This bug was fixed in the package asterisk - 1:1.4.17~dfsg-2ubuntu1

---------------
asterisk (1:1.4.17~dfsg-2ubuntu1) hardy; urgency=low

  * SECURITY UPDATE: arbitrary code execution and authentication bypass.
    (LP: #210124)
    - debian/patches/CVE-2008-1289: Check that incoming RTP payloads are
      within buffer limits. Patch from Debian.
    - debian/patches/CVE-2008-1332: Ensure that allowguest has been enabled
      before deciding that authentication isn't required. Patch from Debian.
    - debian/patches/CVE-2008-1333: Interpret logging output as a character
      string, not a format string. Patch from Debian.
    - References:
      + CVE-2008-1289
      + CVE-2008-1332
      + CVE-2008-1333
      + AST-2008-002
      + AST-2008-003
      + AST-2008-004
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- William Grant <email address hidden> Sat, 05 Apr 2008 11:32:12 +1100

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.