Bug#704829: unblock: asterisk/1:1.8.13.1~dfsg-2
On Mon, Apr 08, 2013 at 09:13:43PM +0100, Adam D. Barratt wrote:
> On Sat, 2013-04-06 at 16:39 +0300, Tzafrir Cohen wrote:
> > Please unblock package asterisk. It includes a number of fixes, mostly
> > two series of security fixes.
>
> It includes a number of things that don't meet the published criteria,
> which is far from ideal for an urgency=high upload at this point in the
> freeze.
>
> > The extra bug fixes are:
> >
> > 1. A simple fix to add support for powerpcspe
>
> Architecture support isn't freeze material to begin with. Support for
> architectures not even in Debian even more so. (I realise it's a tiny
> patch; that's not really the point.)
I would not have included it if that patch were not trivial. But if it's
really an issue, I'll drop it (from the sereis file).
>
> > + * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
> > + - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
> > + allocations when using TCP.
> > + The following two fixes were also pulled in order to easily apply it:
> > + - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
>
> That patch is more than 30% of the diff on its own. :-(
>
> How difficult would it have been to backport the fix to the code we have
> in wheezy?
Looking into that.
>
> > + - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
> > + - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
> > + Exploitation of Device State Caching
> > + * Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505).
> > + * README.Debian: document running the testsuite.
>
> Helpful as it might be, that could definitely have waited.
Huh? Are there actually problems with documentation-only changes?
Right. I'll drop those. But yeah, the ability to run tests made me more
confident in releasing this. Documenting what tests passed is useful.
Though I could do that elsewhere.
>
> > + * Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
>
> And that seems more like it might be stable update material now.
Sorry, I didn't follow: is that good?
--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
tzafrir@debian.org | | friend
Reply to: