Bug#697230: asterisk: Two security issues: AST-2012-014 / AST-2012-015
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Mon Jan 14 14:54:07 UTC 2013
On Fri, Jan 11, 2013 at 11:00:30PM +0000, Tzafrir Cohen wrote:
> On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote:
> > On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote:
> > > Hi,
> > >
> > > On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security
> > > > Justification: user security hole
> > > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA512
> > > >
> > > > Hi,
> > > >
> > > > the following vulnerabilities were published for asterisk.
> > > >
> > > > CVE-2012-5976[0]:
> > > > Crashes due to large stack allocations when using TCP
> > > >
> > > > CVE-2012-5977[1]:
> > > > Denial of Service Through Exploitation of Device State Caching
> > > >
> > > > If you fix the vulnerabilities please also make sure to include the
> > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> > > >
> > > > For further information see:
> > > >
> > > > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976
> > > > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977
> > > >
> > > > Please adjust the affected versions in the BTS as needed.
> > > >
> > > > According to the advisories all 1.8.x versions seems affected.
> > >
> > > Likewise is version 1.6.2 from Stable. I have fixes ready.
> >
> > Ok, please upload to security-master once tests are sufficient.
>
> Uploaded.
It seems that there has been a bug with the patch for Stable (#698112,
#698118):
http://anonscm.debian.org/viewvc/pkg-voip?view=revision&revision=10073
I have prepared a fix for this (1:1.6.2.9-2+squeeze10).
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list