Debian Bug report logs -
#509686
[CVE-2008-5558] remote crash of asterisk with realtime IAX2 users/peers
Reported by: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Date: Wed, 24 Dec 2008 19:36:02 UTC
Severity: grave
Tags: etch, security
Found in version asterisk/1:1.2.13~dfsg-2etch4
Fixed in version 1:1.4.0~dfsg-1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#509686; Package asterisk.
(Wed, 24 Dec 2008 19:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Wed, 24 Dec 2008 19:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: asterisk
Version: 1:1.2.13~dfsg-2etch4
Severity: grave
Tags: pending security etch
There is a possibility to remotely crash an Asterisk server if the
server is configured to use realtime IAX2 users. The issue occurs if
either an unknown user attempts to authenticate or if a user that uses
hostname matching attempts to authenticate.
http://downloads.digium.com/pub/asa/AST-2008-012.html
The advisory mentions that the issue is for versions 1.2.26 - 1.2.30.3 ,
however it was introduced in a previous bugfix that has already been
included in Debian, specifically in AST-2007-027.dpatch that was added
in 1:1.2.13~dfsg-2etch4 .
I included this patch in
http://svn.debian.org/viewsvn/pkg-voip?rev=6581&view=rev
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen@xorcom.com
+972-50-7952406 mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com iax:guest@local.xorcom.com/tzafrir
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Wed, 07 Jan 2009 18:42:07 GMT) (full text, mbox, link).
Notification sent
to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Bug acknowledged by developer.
(Wed, 07 Jan 2009 18:42:07 GMT) (full text, mbox, link).
Message #10 received at 509686-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1:1.4.0~dfsg-1
The complete 1.4.x release line is not affected.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Feb 2009 08:39:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:17:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon