Bug#656596: asterisk: SRTP Video Remote Crash Vulnerability
Tzafrir Cohen
tzafrir at debian.org
Fri Jan 20 11:25:21 UTC 2012
Package: asterisk
Version: 1:1.8.8.0~dfsg-1
Severity: grave
Tags: security patch upstream
Justification: causes non-serious data loss
http://downloads.asterisk.org/pub/security/AST-2012-001.html
(No CVE set yet, AFAIK)
An attacker attempting to negotiate a secure video stream can crash
Asterisk if video support has not been enabled and the res_srtp Asterisk
module is loaded.
I am not aware of any exploits to the issue. It requires the remote user
to be permitted to connect to the system but certain systems may also
allow guests.
No effect on the version in Squeeze, as Asterisk did not have SRTP
support before 1.8 and Squeeze uses 1.6.2 .
--
Tzafrir Cohen | tzafrir at jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir at cohens.org.il | | best
tzafrir at debian.org | | friend
More information about the Pkg-voip-maintainers
mailing list