[asterisk-dev] Asterisk 1.8.15-cert7, 1.8.28.2, 11.6-cert4, 11.10.2, 12.3.2 Now Available (Security/Regression Release)

Fri Jun 13 01:57:25 CDT 2014

On Fri, Jun 13, 2014 at 1:50 AM, Timo Teras <timo.teras at iki.fi> wrote:

> On 13 Jun 2014 01:39 -0500
> Asterisk Development Team <asteriskteam at digium.com> wrote:
>
> > The Asterisk Development Team has announced security releases for
> > Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The
> > available security releases are released as versions 1.8.15-cert7,
> > 11.6-cert4, 1.8.28.2, 11.10.2, and 12.3.2.
> >
> > These releases are available for immediate download at
> > http://downloads.asterisk.org/pub/telephony/asterisk/releases
> >
> > For a full list of changes in the current releases, please see the
> > ChangeLogs:
> >
> >
> http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert7
> >
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.28.2
> >
> http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert4
> >
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.10.2
> >
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.3.2
>
> Seems that the patch at:
>
> http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-12.3.2-patch.gz
>
> Is cumulative as in, it applies to 12.3.0. And not incremental applying
> to 12.3.1. I think they used to be incremental. Is this a change in how
> the security patches will be shipped in future, or an accident?
>

In this case, that is not an accident.

The regression was so serious that applying the patch for 12.3.1 by itself
is "bad". My concern when making this (and we just finished this up after
scrambling for the entire day, once we realized what happened) was two
scenarios:
(1) Someone would apply only the patch for 12.3.1, and end up with a
crippling regression
(2) Someone would casually read the security release announcement, only
apply the patch for 12.3.2, and end up with a vulnerable system.

With this case - where 12.3.2 contains the full delta between itself and
12.3.0, the worst that happens is you get the 'previously applied patch
warning', and only if you applied the patch for 12.3.1 in the very short
time that it was alive. That stinks, but feels like the best path forward
through a bad situation.

Thus: consider 12.3.2 as a complete replacement for 12.3.1. If I could
remove all traces of 12.3.1 (and its companions), I would. Alas, that's ...
really hard ... so it is what it is.

Sorry for the confusion -

Matt

-- 
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20140613/2a8aaa70/attachment.html>