Bug#838832: asterisk: chan_sip: File descriptors leak (UDP sockets) / AST-2016-007, CVE-2016-7551
Petter Reinholdtsen
pere at hungry.com
Sun Oct 16 22:14:37 UTC 2016
Control: retitle -1 asterisk: chan_sip: File descriptors leak (UDP sockets) / AST-2016-007, CVE-2016-7551
Control: found -1 1:13.7.2~dfsg-1
If I understand the jira tracker correctly, the patch available from
<URL: https://issues.asterisk.org/jira/secure/attachment/54225/ASTERISK-26272-13.patch >
will solve this issue.
The security problem seem to be that "a peer which is authorized to sent
SIP INVITE to an asterisk configured with chan_sip using overlap dialing
can then create a denial-of-service attack by exhausting all the file
descriptors available for the asterisk process."
Is that significant enough for a stable update? I guess so.
According to the upstream tracker, the problem was first discovered in
version 13.5. Updating the BTS version tracking with the first Debian
version after that.
--
Happy hacking
Petter Reinholdtsen
More information about the Pkg-voip-maintainers
mailing list