NOT FOUND answer on OPTIONS request

Debdiff for preceise

debdiff for oneiric-proposed

for precise it might be better to instead sync the version from debian which has the fix. It looks like its a bugfix only update so it could be synced without an exception.

for oneiric can the bug description please be updated for an SRU:
see https://wiki.ubuntu.com/StableReleaseUpdates

No, I actually disagree with the debian sync of asterisk at this point of time. Between 1.8.4.4 and 1.8.9.0 / 1.8.10.0 there have been too many regressions. And this late in the game it would not want to go through the process of retesting asterisk to make sure we didn't break something new.

can you give some details on the regressions. Where they fixed in .10 or still open?
there have been several CVE's fixed in those versions which should then be backported.
e.g. CVE-2011-4598, CVE-2011-4063

also precise is supported 5 years, so getting a newer version will ease backporting future fixes.

Right, they are still open. 1.8.4.4 is a nice release, it has it's issues however for each release moving forward something new / different breaks. Precise being a 5 year support is not much of an issue at this point, regardless of the regressions found we would need to backport them eventually.

Regarding the CVE's you have referenced, yes. They would need to be backported into other releases. I plan to open up a security issue for them shortly.

This bug was fixed in the package asterisk - 1:1.8.4.4~dfsg-2ubuntu4

---------------
asterisk (1:1.8.4.4~dfsg-2ubuntu4) precise; urgency=low

  * debian/patches/backport-r312866.diff
  - Responding to OPTIONS packet with 404 because Asterisk not looking for
     "s" extension (LP: #920020)
 -- Paul Belanger <email address hidden> Sat, 10 Mar 2012 21:38:29 +0100

I have also uploaded the fix to oneiric-proposed please test it when it has been accepted.

note that the version number for SRU in this case is ubuntu1.1
see https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging for general stable version number advice

thanks for the patches.

In oneiric-proposed, awaiting approval from ubuntu-sru

Hello Marc, or anyone else affected,

Accepted asterisk into oneiric-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

The fix for the this bug has been awaiting testing feedback in the -proposed repository for oneiric for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now the package will be removed from the -proposed repository.

I was able to confirm this fix a few weeks ago, however I never go around to updating the issue properly.

This bug was fixed in the package asterisk - 1:1.8.4.4~dfsg-2ubuntu1.1

---------------
asterisk (1:1.8.4.4~dfsg-2ubuntu1.1) oneiric-proposed; urgency=low

  * debian/patches/backport-r312866.diff
  - Responding to OPTIONS packet with 404 because Asterisk not looking for
     "s" extension (LP: #920020)
 -- Paul Belanger <email address hidden> Sun, 11 Mar 2012 00:40:50 +0100

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.