Comment 5 for bug 345217
Revision history for this message
| Brian Thomason (brian-thomason) wrote Re: [Bug 345217] Re: Fix vulnerabilities in channels/chan_ia2x.c | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
Thanks Jamie,
On Tue, Apr 28, 2009 at 5:29 PM, Jamie Strandboge <email address hidden> wrote:
> Thanks for your debdiff Brian! :) Here are some comments:
>
> 1. You have supplied two patches for CVE-2008-1897
> (debian/
> Please remove asterisk-
Bah! I didn't even see that, sorry. That was left over from some earlier
quilt tinkering. Will remove it straight away.
>
> 2. CVE-2008-1897 seems to be missing parts of upstream's
> http://
> http://
> misapplied? If not, can you explain why it isn't applied?
It's been so long I'm not sure. I'll do this one from scratch again.
>
> 3. The debian/changelog description does not conform to
> https:/
> These guidelines are in place for clarity, so someone knows quickly what
> patch goes with which CVE and upstream references. Can you adjust so each
> patch has its own stanza?
OK
>
> 4. The package uses quilt, which supports comments at the top of the patch.
> Specifically, the added patches in debian/patches should use
> UbuntuDevelopme
> https:/
OK
>
> 5. Our tracker (see
> http://
> shows that hardy asterisk is also vulnerable to CVE-2008-3903,
> CVE-2008-1923, CVE-2009-0871 and CVE-2008-1390. Were you planning to do
> updates for these as well?
>
Off the top of my head, one of these upstream hadn't fixed at the time, a
couple were basically duplicates, and I don't recall the other off the top
of my head. Before resubmitting the debdiff, I'll also look these up again
and comment in the bug. Yes, if they need attention, I fully plan on
handling them as well.
I'll also resubmit with the intrepid patch next time.
Thanks as always for your patience as I get accustomed to these processes
Jamie!
-Brian