Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015

Moritz Mühlenhoff jmm at inutil.org
Tue Jan 8 17:49:56 UTC 2013


On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote:
> Hi,
> 
> On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for asterisk.
> > 
> > CVE-2012-5976[0]:
> > Crashes due to large stack allocations when using TCP
> > 
> > CVE-2012-5977[1]:
> > Denial of Service Through Exploitation of Device State Caching
> > 
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> > 
> > Please adjust the affected versions in the BTS as needed.
> > 
> > According to the advisories all 1.8.x versions seems affected.
> 
> Likewise is version 1.6.2 from Stable. I have fixes ready.

Ok, please upload to security-master once tests are sufficient.
 
> On a side note, I'm not sure why
> https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as
> open. The respective bug has been closed:
> As I mentioned before, I can change the default for alwaysauthreject,
> I'm just not sure this should be done on a Stable package.

It's marked as 

        [squeeze] - asterisk <no-dsa> (minor issue; can be addressed through configuration)

The tracker is correct in so far, that this isn't fixed in squeeze through
a code fix. If you provide a short text what people need to modify in their
config we can add it to the DSA text and use this as the "fix" for stable.

Cheers,
        Moritz



More information about the Pkg-voip-maintainers mailing list