Bug#484796: asterisk-oh322: CVE-2008-2543 denial of service

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Jun 6 14:47:51 UTC 2008


On Fri, Jun 06, 2008 at 04:27:01PM +0200, Nico Golde wrote:
> Package: asterisk-oh323
> Severity: grave
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for asterisk-oh323.

Nope: it's for asterisk-ooh323c from asterisk-addons. Included in Lenny,
not included in Etch. A new version has already been uploaded yesterday
by Faidon.

> 
> 
> CVE-2008-2543[0]:
> | The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and
> | Asterisk-Addons 1.4.x before 1.4.7 creates a remotely accessible TCP
> | port that is intended solely for localhost communication, and
> | interprets some TCP application-data fields as addresses of memory to
> | free, which allows remote attackers to cause a denial of service
> | (daemon crash) via crafted TCP packets.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> http://svn.digium.com/view/asterisk-addons?view=rev&revision=620
> is the patch upstream applied to fix this issue. However the 
> version in Debian has a completely different codebase and 
> without having more knowledge about asterisk it is (at least 
> for me) not possible to judge if the version in Debian is 
> affected by this or not. I also have no asterisk setup to 
> test this.
> 
> Please check back with upstream and/or test this with a 
> local installation. For now I marked it as unfixed in the 
> tracker.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2543
>     http://security-tracker.debian.net/tracker/CVE-2008-2543
> 
> -- 
> Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
> For security reasons, all text in this mail is double-rot13 encrypted.



> _______________________________________________
> Pkg-voip-maintainers mailing list
> Pkg-voip-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir





More information about the Pkg-voip-maintainers mailing list