Re: testing asterisk for Wheezy LTS

To: Thorsten Alteholz <debian@alteholz.de>
Cc: debian-lts@lists.debian.org
Subject: Re: testing asterisk for Wheezy LTS
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Tue, 17 May 2016 16:15:50 -0400
Message-id: <[🔎] 87futgcufd.fsf@angela.anarcat.ath.cx>
In-reply-to: <[🔎] alpine.DEB.2.02.1605171957420.28496@jupiter.server.alteholz.net>
References: <alpine.DEB.2.02.1604241947280.30327@jupiter.server.alteholz.net> <[🔎] 8760uceme7.fsf@angela.anarcat.ath.cx> <[🔎] alpine.DEB.2.02.1605171957420.28496@jupiter.server.alteholz.net>

On 2016-05-17 14:01:24, Thorsten Alteholz wrote:
> Hi Antoine,
>
> On Tue, 17 May 2016, Antoine Beaupré wrote:
>> Both are what seem to be serious enough DOS attacks, and are not marked
>> no-dsa or anything. You are still assigned the package in dla-needed.txt
>> so for now I'll assume you will complete the work, but please do update
>> the status correctly next time, or let us know of what the next steps
>> are.
>
> I am not sure that I understand you. Can you please explain where there 
> has been an incorrect status?

Hmm... Well, maybe I'm confused. Let me share what I know.

You recently published an Asterisk package to solve security issues in
Debian LTS. I am referring to version 1.8.13.1~dfsg1-3+deb7u4 uploaded
announced here:

https://tracker.debian.org/news/765813

There was also a DLA released, two weeks ago:

https://security-tracker.debian.org/tracker/DLA-455-1
https://lists.debian.org/debian-lts-announce/2016/05/msg00005.html

This release fixed CVEs CVE-2014-2286, CVE-2014-4046, CVE-2014-6610,
CVE-2014-8412, CVE-2014-8418 and CVE-2015-3008.

However, there are still two more CVEs still open in the tracker:

https://security-tracker.debian.org/tracker/source-package/asterisk

That is:

https://security-tracker.debian.org/tracker/CVE-2014-4047

and:

https://security-tracker.debian.org/tracker/CVE-2014-2287

Those issues should have been fixed in the same upload, in my opinion,
unless they came up during the last two weeks. I suspect they were
already present because the CVE number dates the CVE back to 2014.

Hence my first question: Could you clarify why CVE-2014-4047 and
CVE-2014-2287 were not included in this upload?

The comment regarding the status was that, since the CVEs were not
marked as resolved, they should have been marked <no-dsa> (if you
considered them minor enough to not warrant an upload) or you should
have removed yourself from the "asterisk" line in dla-needed.txt so that
others know you are not working on it anymore.

I hope that clarifies my comments! Let me know if you need further
clarification.

A.

-- 
Omnis enim ex infirmitate feritas est.
All cruelty springs from weakness.
                         - Lucius Annaeus Seneca (58 AD)

Reply to:

Follow-Ups:
- Re: testing asterisk for Wheezy LTS
  - From: Thorsten Alteholz <debian@alteholz.de>

References:
- Re: testing asterisk for Wheezy LTS
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: testing asterisk for Wheezy LTS
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Re: Unsupported packages for Wheezy LTS
Next by Date: Re: Call for tests: Making OpenJDK 7 the default in Wheezy LTS
Previous by thread: Re: testing asterisk for Wheezy LTS
Next by thread: Re: testing asterisk for Wheezy LTS
Index(es):
- Date
- Thread