[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#704829: unblock: asterisk/1:1.8.13.1~dfsg-2



On Mon, 2013-04-08 at 22:56 +0200, Tzafrir Cohen wrote:
> On Mon, Apr 08, 2013 at 09:13:43PM +0100, Adam D. Barratt wrote:
> > On Sat, 2013-04-06 at 16:39 +0300, Tzafrir Cohen wrote:
> > > Please unblock package asterisk. It includes a number of fixes, mostly
> > > two series of security fixes.
[...]
> > > +  * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
> > > +    - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
> > > +      allocations when using TCP.
> > > +      The following two fixes were also pulled in order to easily apply it:
> > > +      - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
> > 
> > That patch is more than 30% of the diff on its own. :-(
> > 
> > How difficult would it have been to backport the fix to the code we have
> > in wheezy?
> 
> Looking into that.

Thanks. If the answer is that it's non-trivial then it may be worth
considering whether we should let the package spend a few more days in
unstable (depending on how urgently the security team believe we need
the fixes in wheezy).

> > > +  * README.Debian: document running the testsuite. 
> > 
> > Helpful as it might be, that could definitely have waited.
> 
> Huh? Are there actually problems with documentation-only changes?

Well, they're not "the absolute minimum patches that fix RC bugs", as
per http://lists.debian.org/debian-devel-announce/2013/03/msg00009.html
We've intentionally been tightening the criteria as we go along. With
the RC count at the point it is currently, we're trying to concentrate
resources on getting the remaining bugs fixed, which is easier to do
when the diff just contains those fixes.

It's not worth a re-upload just to not include them though.

> > > +  * Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
> > 
> > And that seems more like it might be stable update material now.
> 
> Sorry, I didn't follow: is that good?

It depends on your definition. :-) As it's not an RC bug, I was
suggesting it may be worth fixing after the release rather than now.

Regards,

Adam


Reply to: