Bug#315532: Asterisk Manager Interface Overflow
Mark Purcell
msp at debian.org
Sun Jul 31 21:48:48 UTC 2005
Bug #315532 has been rasied as grave security related bug against
asterisk-1.0.7, which is included in the released sarge.
It refers to a potential overflow in the Asterisk Manager Interface, which is
not enabled by default in the Debian asterisk package. In addition the
Debian asterisk package is not run as root as upstream, but rather as the
user asterisk with limited privs.
It has been pointed out that a user of the manager interface can execute
arbitary commands anyway, so the potential for additional privs is again
limited even in the case that the manager interface is enabled and exploited.
My query is does this warrant an release from the security team of the
relevant asterisk package? The patch is included against the bug report.
Or can we close this bug?
Mark
More information about the Pkg-voip-maintainers
mailing list