Debian 7/Asterisk TLS Bug And Others

Home » Asterisk Users » Debian 7/Asterisk TLS Bug And Others
Asterisk Users 4 Comments

Debian 7 is currently in the `freeze’ status with 1.8.13 – that means Debian 7 is very likely to release 1.8.13 and be carrying it for the next 2-3 years (typical lifetime of a Debian release)

I run 1.8.8. TLS has a bug: it fails to receive BYE over the TLS
connection from my Polycom phone.

I tried 1.8.13, the version in Debian 7, and found a more severe bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bugh3956
The TLS clients can’t connect at all, this looks like a really bad regression from 1.8.8

I’ve looked at 1.8.(14, 15, 16-rc1) and their changelogs don’t mention any fix.

Debian is very conservative about accepting updates during the `freeze’
process – they will most likely want to see a 1.8.13.2 release with ONLY
the most essential fixes

a) is anyone else aware of these bugs?

b) what essential changes should go into 1.8.13.2 for Debian?

4 thoughts on - Debian 7/Asterisk TLS Bug And Others

  • We don’t need to release a 1.8.13.2 release of Asterisk. Once the issue has been fixed in the 1.8 release branch, it would just be back-ported into a Debian patch for the package.

  • My impression was that a 1.8.13.2 release would be as conservative as any patches back-ported for the Debian package. It’s not necessary, but it might be a convenient way to achieve the same goal.

    Is Digium officially endorsing 1.8.13 for wheezy in any way?

    Is anyone officially working on this particular problem already? I was tempted to have a closer look at it, but don’t want to duplicate an effort that is already underway elsewhere.

  • No. Digium nor the Asterisk Project has anything to do with the package within Debian. In fact, most of the work is done by Tzafrir.

    Best to check JIRA and see. Actually, does the issue even exist in JIRA?

  • I’m not referring to the actual packaging processes, but just the general strategy

    For example, if wheezy is released at Christmas, it could be the current version for 2 years (until end of 2014) and then another year of security updates (until end of 2015). Anyone using Debian during that period will come across Asterisk v1.8.13

    It raises various issues:

    – with TLS use likely to grow over that time, will the problems in the current version become noticed by many more people?

    – will general security updates for 1.8.x continue up to at least 2015?

    I’ve raised a bug report in Debian about the general state of the TLS
    support and to see if it is appropriate for the long lifespan of packages in Debian – any comments on this would be really welcome http://bugs.debian.org/cgi-bin/bugreport.cgi?bugh4649