Bug#509686: [CVE-2008-5558] remote crash of asterisk with realtime IAX2 users/peers
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Wed Dec 24 19:33:38 UTC 2008
Package: asterisk
Version: 1:1.2.13~dfsg-2etch3
Severity: grave
Tags: pending security etch
There is a possibility to remotely crash an Asterisk server if the
server is configured to use realtime IAX2 users. The issue occurs if
either an unknown user attempts to authenticate or if a user that uses
hostname matching attempts to authenticate.
http://downloads.digium.com/pub/asa/AST-2008-012.html
The advisory mentions that the issue is for versions 1.2.26 - 1.2.30.3 ,
however it was introduced in a previous bugfix that has already been
included in Debian, specifically in AST-2007-027.dpatch that was added
in 1:1.2.13~dfsg-2etch3 .
I included this patch in
http://svn.debian.org/viewsvn/pkg-voip?rev=6581&view=rev
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list