[asterisk-users] Asterisk 1.6.0.11-rc2, 1.6.1.2, 1.6.1.3-rc1, and 1.6.2.0-beta4 Release Announcement

Mark Michelson mmichelson at digium.com
Mon Aug 3 10:32:50 CDT 2009


Alex Hermann wrote:
> On Monday 03 August 2009, Asterisk Team wrote:
>> The release of 1.6.1.2 fixes a remote crash security vulnerability in the
>> RTP stack.  The related security advisory AST-2009-004 has been released
>> along with this announcement.  Please read that advisory for more
>> information.
>>
>> For a full list of changes in these releases, please see the ChangeLogs:
>> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6
>> .1.2
> 
> The chaneglog doesn't mention anything on fixing a security issue. Even worse, 
> the changelog doesn't mention anyting at all besides the version increment. 
> Is the fix really applied?

The fix is applied. I just checked to be sure. I can't say for sure why the 
change did not show up in the changelog, but I'm guessing the reason is that the 
tag for the release was created first, and then the specific fix was applied to 
the tag instead of creating the tag based off an already-fixed branch. This was 
an oversight on our part, and we'll do our best not to make such a mistake again.

Mark Michelson



More information about the asterisk-users mailing list