<br><br><div class="gmail_quote">On Sat, Mar 10, 2012 at 11:23 PM, Tzafrir Cohen <span dir="ltr"><<a href="mailto:tzafrir.cohen@xorcom.com">tzafrir.cohen@xorcom.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Fri, Mar 09, 2012 at 03:10:50PM -0600, Kevin P. Fleming wrote:<br>
> On 03/09/2012 02:56 PM, Josh Freeman wrote:<br>
> >The most current patched Asterisk, along with the most current app_rpt,<br>
> >can be found at<br>
> ><br>
> ><a href="http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/" target="_blank">http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/</a><br>
><br>
> I'm really trying to avoid fanning the flames here, but if that code<br>
> is *really* based on 1.4.23, and hasn't been kept up to date with<br>
> the Asterisk 1.4 releases, then that means it contains a number of<br>
> security vulnerabilities that users should be aware of. Some of them<br>
> are user enumeration vulnerabilities, but others (like AST-2011-010,<br>
> AST-2011-005, AST-2011-001, and maybe more) are more serious.<br>
<br>
</div><a href="http://patch-tracker.debian.org/package/asterisk/1:1.4.21.2~dfsg-3+lenny5" target="_blank">http://patch-tracker.debian.org/package/asterisk/1:1.4.21.2~dfsg-3+lenny5</a><br>
Or:<br>
<a href="http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/lenny-security/debian/patches/" target="_blank">http://anonscm.debian.org/viewvc/pkg-voip/asterisk/branches/lenny-security/debian/patches/</a><br>
<br>
Those are the patches for the Asterisk package in Debian 5.0 (Lenny). It<br>
is based on 1.4.21.2 (though with some extra patches: part of the<br>
bristuff patch). At least for a while I tried to check every security<br>
fix to see if it applies to Lenny.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Tzafrir Cohen<br>
icq#16849755 <a href="mailto:jabber%3Atzafrir.cohen@xorcom.com">jabber:tzafrir.cohen@xorcom.com</a><br>
<a href="tel:%2B972-50-7952406" value="+972507952406">+972-50-7952406</a> mailto:<a href="mailto:tzafrir.cohen@xorcom.com">tzafrir.cohen@xorcom.com</a><br>
<a href="http://www.xorcom.com" target="_blank">http://www.xorcom.com</a> <a href="http://iax:guest@local.xorcom.com/tzafrir" target="_blank">iax:guest@local.xorcom.com/tzafrir</a><br>
</font></span><div class="HOEnZb"><div class="h5"><br></div></div></blockquote><div><br></div><div>I don't use Debian, but since this is a fork, the patches may break app_rpt again like DAHDI did.</div><div><br></div>
<div>I may fire up a Debian Lenny VM and see if the fork with the patches match up and work, and then if app_rpt and app_radio compile or throw an error.</div><div><br></div><div>The latest all in one ISO uses CentOS 5.7.</div>
<div><br></div><div>Thanks,</div><div>Steve Totaro </div></div>