Debian Bug report logs -
#380054
CVE-2006-2898: Denial of service in Asterisk
Reported by: Martin Schulze <joey@infodrom.org>
Date: Thu, 27 Jul 2006 06:49:01 UTC
Severity: serious
Tags: patch, security
Found in version 1.2.10.dfsg-1
Fixed in versions asterisk/1:1.2.10.dfsg-2, 1.0.7.dfsg.1-2sarge3
Done: Filipus Klutiero <chealer@vif.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#380054; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: asterisk
Version: 1.2.10.dfsg-1
Severity: grave
Tags: security patch
A problem has been discovered in the IAX2 channel driver of Asterisk,
an Open Source Private Branch Exchange and telephony toolkit, which
may allow a remote to cause au crash of the Asterisk server.
The patch used for security is attached.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
[patch.CVE-2006-2898.asterisk (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#380054; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Mark Purcell <msp@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #10 received at 380054@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thursday 27 July 2006 07:34, Martin Schulze wrote:
> The patch used for security is attached.
Thanks Joey,
In asterisk 1.2.10 half of that patch is already applied upstream.
I have applied the other half and am in the process of uploading.
The modified patch is included.
Mark
[patch.CVE-2006-2898.dpatch (application/x-shellscript, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Mark Purcell <msp@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Schulze <joey@infodrom.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 380054-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.2.10.dfsg-2
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-bristuff_1.2.10.dfsg-2_i386.deb
to pool/main/a/asterisk/asterisk-bristuff_1.2.10.dfsg-2_i386.deb
asterisk-classic_1.2.10.dfsg-2_i386.deb
to pool/main/a/asterisk/asterisk-classic_1.2.10.dfsg-2_i386.deb
asterisk-config_1.2.10.dfsg-2_all.deb
to pool/main/a/asterisk/asterisk-config_1.2.10.dfsg-2_all.deb
asterisk-dev_1.2.10.dfsg-2_all.deb
to pool/main/a/asterisk/asterisk-dev_1.2.10.dfsg-2_all.deb
asterisk-doc_1.2.10.dfsg-2_all.deb
to pool/main/a/asterisk/asterisk-doc_1.2.10.dfsg-2_all.deb
asterisk-h423_1.2.10.dfsg-2_i386.deb
to pool/main/a/asterisk/asterisk-h423_1.2.10.dfsg-2_i386.deb
asterisk-sounds-main_1.2.10.dfsg-2_all.deb
to pool/main/a/asterisk/asterisk-sounds-main_1.2.10.dfsg-2_all.deb
asterisk-web-vmail_1.2.10.dfsg-2_all.deb
to pool/main/a/asterisk/asterisk-web-vmail_1.2.10.dfsg-2_all.deb
asterisk_1.2.10.dfsg-2.diff.gz
to pool/main/a/asterisk/asterisk_1.2.10.dfsg-2.diff.gz
asterisk_1.2.10.dfsg-2.dsc
to pool/main/a/asterisk/asterisk_1.2.10.dfsg-2.dsc
asterisk_1.2.10.dfsg-2_all.deb
to pool/main/a/asterisk/asterisk_1.2.10.dfsg-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 380054@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 27 Jul 2006 08:09:47 +0100
Source: asterisk
Binary: asterisk-h423 asterisk-web-vmail asterisk asterisk-classic asterisk-dev asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config
Architecture: source all i386
Version: 1:1.2.10.dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX) - dummy package
asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled vers
asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium versi
asterisk-config - config files for asterisk
asterisk-dev - development files for asterisk
asterisk-doc - documentation for asterisk
asterisk-h423 - asterisk H.323 VoIP channel
asterisk-sounds-main - sound files for asterisk
asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 380054
Changes:
asterisk (1:1.2.10.dfsg-2) unstable; urgency=high
.
* IAX2 channel driver security patch [CVE-2006-2898]
- CVE-2006-2898: Denial of service in Asterisk (Closes: #380054)
Files:
b0e11e722ee819521836732debe2e71b 1396 comm optional asterisk_1.2.10.dfsg-2.dsc
a1602686f0eac0457ac155b12c32cae5 162531 comm optional asterisk_1.2.10.dfsg-2.diff.gz
37752761a6644ca4a6d78ee922aa817e 233576 comm optional asterisk_1.2.10.dfsg-2_all.deb
652ba36efd5eddf5c5ad9e707127d545 19039512 doc optional asterisk-doc_1.2.10.dfsg-2_all.deb
22690a91721ffe5d1fc9b1f8195e2d7e 155822 devel optional asterisk-dev_1.2.10.dfsg-2_all.deb
e577eb1e234e034b7641562981645402 1486722 comm optional asterisk-sounds-main_1.2.10.dfsg-2_all.deb
52553a985c047313db01f4bd7d2e111b 59920 comm optional asterisk-web-vmail_1.2.10.dfsg-2_all.deb
01d8d08885dd9fbb4c04a9da26007b64 116734 comm optional asterisk-config_1.2.10.dfsg-2_all.deb
65559e0427c68e45f994ff82fea04138 1595462 comm optional asterisk-classic_1.2.10.dfsg-2_i386.deb
b01c77e324892be840f0c45ac1a96b51 1624752 comm optional asterisk-bristuff_1.2.10.dfsg-2_i386.deb
7d038ceec949a675b37da6c1868ca0eb 116760 comm optional asterisk-h423_1.2.10.dfsg-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEyG4IoCzanz0IthIRAqcMAJoCP7J0j2IivR1dbh4yp9Qx1hQLRgCfVA/n
NVmgZwcHE+JcRjGzIMGF/Gs=
=ZVuc
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#380054; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #20 received at 380054@bugs.debian.org (full text, mbox, reply):
Mark Purcell wrote:
> On Thursday 27 July 2006 07:34, Martin Schulze wrote:
> > The patch used for security is attached.
>
> Thanks Joey,
>
> In asterisk 1.2.10 half of that patch is already applied upstream.
>
> I have applied the other half and am in the process of uploading.
Great!
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
Bug marked as fixed in version 1.0.7.dfsg.1-2sarge3, send any further explanations to Martin Schulze <joey@infodrom.org>
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `serious' from `grave'
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 22:20:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:44:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon