Bug#539473: CVE-2009-2651: Remote Crash Vulnerability in RTP stack
Moritz Muehlenhoff
jmm at inutil.org
Wed Sep 16 19:17:44 UTC 2009
On Sat, Aug 01, 2009 at 10:57:33AM +0200, Giuseppe Iuculano wrote:
> Package: asterisk
> Version: 1:1.6.2.0~dfsg~beta3-1
> Severity: serious
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for asterisk.
>
> CVE-2009-2651[0]:
> | main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote
> | attackers to cause a denial of service (crash) via an RTP text frame
> | without a certain delimiter, which triggers a NULL pointer dereference
> | and the subsequent calculation of an invalid pointer.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651
> http://security-tracker.debian.net/tracker/CVE-2009-2651
> http://downloads.asterisk.org/pub/security/AST-2009-004.html
> Patch: http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt
Asterisk maintainers, what should be done about stable? Would it
make sense to update the stable version to 1.4.26.2 in a point update?
(IIRC there's still a performance regression affecting Lenny from
a previous security update?)
Cheers,
Moritz
More information about the Pkg-voip-maintainers
mailing list