[asterisk-users] Asterisk 1.6.0.11-rc2, 1.6.1.2, 1.6.1.3-rc1, and 1.6.2.0-beta4 Release Announcement
Mark Michelson
mmichelson at digium.com
Mon Aug 3 10:32:50 CDT 2009
Alex Hermann wrote:
> On Monday 03 August 2009, Asterisk Team wrote:
>> The release of 1.6.1.2 fixes a remote crash security vulnerability in the
>> RTP stack. The related security advisory AST-2009-004 has been released
>> along with this announcement. Please read that advisory for more
>> information.
>>
>> For a full list of changes in these releases, please see the ChangeLogs:
>> http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.6
>> .1.2
>
> The chaneglog doesn't mention anything on fixing a security issue. Even worse,
> the changelog doesn't mention anyting at all besides the version increment.
> Is the fix really applied?
The fix is applied. I just checked to be sure. I can't say for sure why the
change did not show up in the changelog, but I'm guessing the reason is that the
tag for the release was created first, and then the specific fix was applied to
the tag instead of creating the tag based off an already-fixed branch. This was
an oversight on our part, and we'll do our best not to make such a mistake again.
Mark Michelson
More information about the asterisk-users
mailing list