Open Asterisk vulnerabilities
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sun May 27 20:25:31 UTC 2007
On Sun, May 27, 2007 at 12:42:20PM +0200, Moritz Muehlenhoff wrote:
> Hi,
> There's a constant flow of vulnerabilities in Asterisk, which are only
> adressed by you in unstable. This needs to change, a package like Asterisk
> is impossible to test for the Security Team. We need you to prepare a
> stable-security update for every vulnerability you address in unstable.
> According to the Debian Security Tracker the current issues are open
> in Etch:
>
Results of an initial check:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2293
Does not affect Etch: new code in asterisk 1.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2297
Affects Etch. Diff probably:
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58847&r2=59194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1306
Probably affects Etch. Diff probably:
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=58052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1561
Maybe:
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1594
Duplicate of CVE-2007-2297???
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1595
No fix was supplied for the original ael parsel of 1.2.
Maybe just document the issue as something to avoid.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2294
Affects Etch. Probably fixed by:
http://svn.digium.com/view/asterisk/branches/1.2/manager.c?r1=60134&r2=61786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2488
Affects Etch. Probably fixed by:
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_iax2.c?r1=62037&r2=62691
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir at jabber.org
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list