Bug#651552: CVE-2011-4598: DoS
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sun Dec 18 10:58:03 UTC 2011
On Sun, Dec 11, 2011 at 05:09:21PM +0200, Tzafrir Cohen wrote:
> On Fri, Dec 09, 2011 at 09:47:04PM +0100, Moritz Muehlenhoff wrote:
> > Source: asterisk
> > Severity: grave
> > Tags: security
> >
> > Please see http://downloads.asterisk.org/pub/security/AST-2011-014.html
> > This has been assigned CVE-2011-4598.
>
> What about the pending fixes for #630381 and #639821 ?
Ping?
Packages are pending in the pkg-voip SVN repo:
asterisk/trunk: 1:1.8.8.0~dfsg-1 (just released today)
asterisk/branches/squeeze: 1:1.6.2.9-2+squeeze4:
including those two fixes
asterisk/branches/lenny-security: 1:1.4.21.2~dfsg-3+lenny6
Only the NAT issue
>
> >
> > There's also http://downloads.asterisk.org/pub/security/AST-2011-013.html,
> > (CVE-2011-4597), which seems rather esoteric and can likely be ignored
> > for stable.
>
> This configuration is actually rather common. The bug did not mention
> it, but the fix included a patch that changes the default value of the
> configugration and also adds a nasty warning if global value does not
> match the peer/user entry.
I made the warnings slightly less horrible than Upstream's and added
an explanation in README.Debian . The sample sip.conf changed, but not
/etc/asterisk/sip.conf .
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list