Bug#541441: CVE-2009-2726: Asterisk SIP Channel Driver Denial of Service
Faidon Liambotis
paravoid at debian.org
Fri Aug 14 13:32:25 UTC 2009
That's AST-2009-005[1], which mentions:
> Note that while this potential vulnerability has existed in Asterisk for
> a very long time, it is only potentially exploitable in 1.6.1 and above,
> since those versions are the first that have allowed SIP packets to
> exceed 1500 bytes total, which does not permit strings that are large
> enough to crash Asterisk. (The number strings presented to us by the
> security researcher were approximately 32,000 bytes long.)
>
> Additionally note that while this can crash Asterisk, execution of
> arbitrary code is not possible with this vector.
Hence, I don't think it warrants a security update for stable/oldstable.
Unstable is vulnerable though, I'll prepare a fix.
Regards,
Faidon
1: http://downloads.asterisk.org/pub/security/AST-2009-005.html
More information about the Pkg-voip-maintainers
mailing list