Asterisk: multiple vulnerabilities
Moritz Muehlenhoff
jmm at inutil.org
Wed Aug 22 21:34:13 UTC 2007
Faidon Liambotis wrote:
> Moritz Muehlenhoff wrote:
> > What do you do about Sarge?
> I just did an evaluation of the vulnerabilities:
> vulnerable difficulty
> -----------------------------
> ASA-2007-011 yes high
> ASA-2007-012 yes low
> ASA-2007-014 yes medium
> ASA-2007-015 yes applies as-is
> ASA-2007-016 no
> CVE-2007-1306 no
> CVE-2007-1561 no
> CVE-2007-2488 yes low
>
> I will try to fix these.
> Unfortunately, I am unable to runtime test a 1.0 setup, even for SIP or
> IAX2 channels.
>
> Plus, I'm sure that in 1.0 there are other, unknown vulnerabilities.
> Can the DSA suggest all users to upgrade to one of the more recent versions?
As a general rule of thumb, no. But in the case of asterisk we could
make an exception and advise users to upgrade to stable. asterisk will
typically on run on a more or less dedicated PBX machine anyway.
Cheers,
Moritz
More information about the Pkg-voip-maintainers
mailing list