Related Vulnerabilities: CVE-2011-4598 CVE-2011-4597

Source

Debian Bug report logs - #651552
CVE-2011-4598: DoS

Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 9 Dec 2011 20:48:02 UTC

Severity: grave

Tags: security

Fixed in versions asterisk/1:1.8.8.0~dfsg-1, asterisk/1:1.6.2.9-2+squeeze4, asterisk/1:1.4.21.2~dfsg-3+lenny6

Done: Tzafrir Cohen <tzafrir@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#651552; Package src:asterisk. (Fri, 09 Dec 2011 20:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 09 Dec 2011 20:48:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: asterisk
Severity: grave
Tags: security

Please see http://downloads.asterisk.org/pub/security/AST-2011-014.html
This has been assigned CVE-2011-4598.

There's also http://downloads.asterisk.org/pub/security/AST-2011-013.html,
(CVE-2011-4597), which seems rather esoteric and can likely be ignored
for stable.

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#651552; Package src:asterisk. (Sun, 11 Dec 2011 15:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 11 Dec 2011 15:12:03 GMT) (full text, mbox, link).

Message #10 received at 651552@bugs.debian.org (full text, mbox, reply):

On Fri, Dec 09, 2011 at 09:47:04PM +0100, Moritz Muehlenhoff wrote:
> Source: asterisk
> Severity: grave
> Tags: security
> 
> Please see http://downloads.asterisk.org/pub/security/AST-2011-014.html
> This has been assigned CVE-2011-4598.

What about the pending fixes for #630381 and #639821 ?

> 
> There's also http://downloads.asterisk.org/pub/security/AST-2011-013.html,
> (CVE-2011-4597), which seems rather esoteric and can likely be ignored
> for stable.

This configuration is actually rather common. The bug did not mention
it, but the fix included a patch that changes the default value of the
configugration and also adds a nasty warning if global value does not
match the peer/user entry.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #15 received at 651552@bugs.debian.org (full text, mbox, reply):

On Sun, Dec 11, 2011 at 05:09:21PM +0200, Tzafrir Cohen wrote:
> On Fri, Dec 09, 2011 at 09:47:04PM +0100, Moritz Muehlenhoff wrote:
> > Source: asterisk
> > Severity: grave
> > Tags: security
> > 
> > Please see http://downloads.asterisk.org/pub/security/AST-2011-014.html
> > This has been assigned CVE-2011-4598.
> 
> What about the pending fixes for #630381 and #639821 ?

Ping?

Packages are pending in the pkg-voip SVN repo:

asterisk/trunk: 1:1.8.8.0~dfsg-1 (just released today)
asterisk/branches/squeeze: 1:1.6.2.9-2+squeeze4:
                           including those two fixes
asterisk/branches/lenny-security: 1:1.4.21.2~dfsg-3+lenny6
                                  Only the NAT issue

> 
> > 
> > There's also http://downloads.asterisk.org/pub/security/AST-2011-013.html,
> > (CVE-2011-4597), which seems rather esoteric and can likely be ignored
> > for stable.
> 
> This configuration is actually rather common. The bug did not mention
> it, but the fix included a patch that changes the default value of the
> configugration and also adds a nasty warning if global value does not
> match the peer/user entry.

I made the warnings slightly less horrible than Upstream's and added
an explanation in README.Debian . The sample sip.conf changed, but not
/etc/asterisk/sip.conf .

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 18 Dec 2011 17:48:07 GMT) (full text, mbox, link).

Message #20 received at 651552@bugs.debian.org (full text, mbox, reply):

On Sun, Dec 18, 2011 at 12:58:03PM +0200, Tzafrir Cohen wrote:
> On Sun, Dec 11, 2011 at 05:09:21PM +0200, Tzafrir Cohen wrote:
> > On Fri, Dec 09, 2011 at 09:47:04PM +0100, Moritz Muehlenhoff wrote:
> > > Source: asterisk
> > > Severity: grave
> > > Tags: security
> > > 
> > > Please see http://downloads.asterisk.org/pub/security/AST-2011-014.html
> > > This has been assigned CVE-2011-4598.
> > 
> > What about the pending fixes for #630381 and #639821 ?
> 
> Ping?

We already gave you a "go ahead, include these fixes and upload
to security-master" a few days ago.

Cheers,
        Moritz

Reply sent to Tzafrir Cohen <tzafrir@debian.org>:
You have taken responsibility. (Sun, 18 Dec 2011 21:21:11 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 18 Dec 2011 21:21:11 GMT) (full text, mbox, link).

Message #25 received at 651552-close@bugs.debian.org (full text, mbox, reply):

Source: asterisk
Source-Version: 1:1.8.8.0~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.8.8.0~dfsg-1_all.deb
  to main/a/asterisk/asterisk-config_1.8.8.0~dfsg-1_all.deb
asterisk-dahdi_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-dahdi_1.8.8.0~dfsg-1_amd64.deb
asterisk-dbg_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-dbg_1.8.8.0~dfsg-1_amd64.deb
asterisk-dev_1.8.8.0~dfsg-1_all.deb
  to main/a/asterisk/asterisk-dev_1.8.8.0~dfsg-1_all.deb
asterisk-doc_1.8.8.0~dfsg-1_all.deb
  to main/a/asterisk/asterisk-doc_1.8.8.0~dfsg-1_all.deb
asterisk-mobile_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-mobile_1.8.8.0~dfsg-1_amd64.deb
asterisk-modules_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-modules_1.8.8.0~dfsg-1_amd64.deb
asterisk-mp3_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-mp3_1.8.8.0~dfsg-1_amd64.deb
asterisk-mysql_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-mysql_1.8.8.0~dfsg-1_amd64.deb
asterisk-ooh423_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-ooh423_1.8.8.0~dfsg-1_amd64.deb
asterisk-voicemail-imapstorage_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail-imapstorage_1.8.8.0~dfsg-1_amd64.deb
asterisk-voicemail-odbcstorage_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail-odbcstorage_1.8.8.0~dfsg-1_amd64.deb
asterisk-voicemail_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail_1.8.8.0~dfsg-1_amd64.deb
asterisk_1.8.8.0~dfsg-1.debian.tar.gz
  to main/a/asterisk/asterisk_1.8.8.0~dfsg-1.debian.tar.gz
asterisk_1.8.8.0~dfsg-1.dsc
  to main/a/asterisk/asterisk_1.8.8.0~dfsg-1.dsc
asterisk_1.8.8.0~dfsg-1_amd64.deb
  to main/a/asterisk/asterisk_1.8.8.0~dfsg-1_amd64.deb
asterisk_1.8.8.0~dfsg.orig.tar.gz
  to main/a/asterisk/asterisk_1.8.8.0~dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Dec 2011 00:50:02 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.8.0~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
Closes: 651552
Changes: 
 asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high
 .
   [ Faidon Liambotis ]
   * Fix Breaks/Conflicts to contain the epoch.
   * Urgency high since this resulted in file conflicts when upgrading from
     stable.
   * Patch reenable-pri-optional: Backport a patch from upstream to fix
     several PRI features being compiled-out and hence disabled.
   * Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra
     functionality is enabled at build-time.
 .
   [ Tzafrir Cohen ]
   * New upstream release. Closes: #651552.
     - Patch reenable-pri-optional dropped: included upstream.
   * Officially remove asterisk-h423:
     - Break older versions, as it did not have a versioned Depends before.
     - Remove the package.
   * Update watch file to only check for 1.8.x tarballs.
Checksums-Sha1: 
 7530e589a6abe16c8416adbec2c00e843753821d 2990 asterisk_1.8.8.0~dfsg-1.dsc
 f9924b49a80106359673311f1cc9239d61ee2d56 7570306 asterisk_1.8.8.0~dfsg.orig.tar.gz
 ef597cc35ff9e4584b7964725465d577ea359c4c 348078 asterisk_1.8.8.0~dfsg-1.debian.tar.gz
 260528634f152bd8bfdce7cf7575a3fc4883f779 1911838 asterisk-doc_1.8.8.0~dfsg-1_all.deb
 14a361ff5380226165e682399f223bd81a6e3114 875334 asterisk-dev_1.8.8.0~dfsg-1_all.deb
 7d4d2866412602489ebb8474822cb2b4ca305ec6 926664 asterisk-config_1.8.8.0~dfsg-1_all.deb
 ed521480010cd191227f13ec412a6a6219626d78 1660036 asterisk_1.8.8.0~dfsg-1_amd64.deb
 e3af680d4c50f59f83009ae9a92e6d5a439bf3b7 2708132 asterisk-modules_1.8.8.0~dfsg-1_amd64.deb
 e7c8c2b9bcb4ba1099b60b064b1deef42ff54f40 837726 asterisk-dahdi_1.8.8.0~dfsg-1_amd64.deb
 75995ba741c1244acd4037fb7dece7fe193f099f 613882 asterisk-voicemail_1.8.8.0~dfsg-1_amd64.deb
 1ab6d03fa549987c8dba9b7772134b3b7afb2787 628874 asterisk-voicemail-imapstorage_1.8.8.0~dfsg-1_amd64.deb
 3fb9bb310b3a79076eb5b49eb1473e68c4f56689 620016 asterisk-voicemail-odbcstorage_1.8.8.0~dfsg-1_amd64.deb
 2589f4d0cc7ee684e8e8c68ea72485f838924333 952234 asterisk-ooh423_1.8.8.0~dfsg-1_amd64.deb
 2429e1ecb81c5096ad839e14f68e74cf2ea735b8 554812 asterisk-mp3_1.8.8.0~dfsg-1_amd64.deb
 de5b88d8ea3e5bad84315b5b5789acb8b3ce7ca3 578360 asterisk-mysql_1.8.8.0~dfsg-1_amd64.deb
 77539a82fba8f7c437324dda567907c72b302bb8 568064 asterisk-mobile_1.8.8.0~dfsg-1_amd64.deb
 81b0f12ec0fcf0f0b32340da897d71c19191edff 28869826 asterisk-dbg_1.8.8.0~dfsg-1_amd64.deb
Checksums-Sha256: 
 c09c7608c4df52ee793b41b363b536b50d29e8117908250fb2bd293433e2a483 2990 asterisk_1.8.8.0~dfsg-1.dsc
 570967003effe25c7362ad4d5558ac951f54993e19ca97347507eaf777e1139d 7570306 asterisk_1.8.8.0~dfsg.orig.tar.gz
 9f73c4627a4257980c7cdb0231d743319bead6fb9cc6f82a922d7759c6c0e136 348078 asterisk_1.8.8.0~dfsg-1.debian.tar.gz
 02209c9a0063781ce6073bda9bb9746c9a493e561421d7b26524a7098bcdfc3a 1911838 asterisk-doc_1.8.8.0~dfsg-1_all.deb
 38499dac91bd24e990f9a8f154f92c1878da4312fc328ef6b90a711ab8aaeb38 875334 asterisk-dev_1.8.8.0~dfsg-1_all.deb
 b2311b95f419baf9ecbe28851f1ba0f99d7c5ba8b3a20896016cfc04dad208c0 926664 asterisk-config_1.8.8.0~dfsg-1_all.deb
 b23d0acf290ed281cf14132beaafd51976864ce93d2774b738cb1584ab567d36 1660036 asterisk_1.8.8.0~dfsg-1_amd64.deb
 41bf3ec367636241b7a2cdd1a34c4379f90728b6110f0aa813afc73d4efa9246 2708132 asterisk-modules_1.8.8.0~dfsg-1_amd64.deb
 4459e2224e192292d4f3a6b43929a68a5f44b335b102e9c5c2437bbc749f6a71 837726 asterisk-dahdi_1.8.8.0~dfsg-1_amd64.deb
 9de7f5f8c19459bf045efbea79ee3112a7da10d6aa79f8f4f4593aca1e03c74e 613882 asterisk-voicemail_1.8.8.0~dfsg-1_amd64.deb
 4b0efaf1efe6f0364fa5dbf05059d2704f473715aef5a83bef740a7824d3a251 628874 asterisk-voicemail-imapstorage_1.8.8.0~dfsg-1_amd64.deb
 b295cee55ceeea9e592392b3dba443066e1b27c466c4688cad0057722bfbe7e8 620016 asterisk-voicemail-odbcstorage_1.8.8.0~dfsg-1_amd64.deb
 f5a6a1e5fb17169531af0793e85ad77bfe44e507f9558b5627219bd93a3050c1 952234 asterisk-ooh423_1.8.8.0~dfsg-1_amd64.deb
 b0ccdcfaef0f39b72570088a88fc752749c4e708f2953f66dbe52f3c6fd761e0 554812 asterisk-mp3_1.8.8.0~dfsg-1_amd64.deb
 65f25434db4318d4e0ea6a9cf5aa58195e571b4de2906ac36e12541466dc2c2d 578360 asterisk-mysql_1.8.8.0~dfsg-1_amd64.deb
 ee497ecba0be4a6851db3b3f6e3e32f446ff57717bae19bf447cec0696add645 568064 asterisk-mobile_1.8.8.0~dfsg-1_amd64.deb
 0be77ab53e86e5e9c8f14c1c7bcd077c999ff17fbe65ed0814a8e3098e5f60cf 28869826 asterisk-dbg_1.8.8.0~dfsg-1_amd64.deb
Files: 
 e2c6f63f7ff6a015c7da5ce8255d8a0b 2990 comm optional asterisk_1.8.8.0~dfsg-1.dsc
 95af701dba79cdda8fce2a3cf878525c 7570306 comm optional asterisk_1.8.8.0~dfsg.orig.tar.gz
 9c0587f89a6f0f2e217a9dc25f5b93db 348078 comm optional asterisk_1.8.8.0~dfsg-1.debian.tar.gz
 b0dd604caf4a305bd72b64e04f377302 1911838 doc extra asterisk-doc_1.8.8.0~dfsg-1_all.deb
 5fb18dc83965818cbbc8c50d61b28c0d 875334 devel extra asterisk-dev_1.8.8.0~dfsg-1_all.deb
 3af427a2200d1c8e0b4a30a424fb638d 926664 comm optional asterisk-config_1.8.8.0~dfsg-1_all.deb
 1f039a5f55521975ad2a93b5d02f7e4d 1660036 comm optional asterisk_1.8.8.0~dfsg-1_amd64.deb
 b78b1c5a19e445fbfe4f8d31e173146e 2708132 libs optional asterisk-modules_1.8.8.0~dfsg-1_amd64.deb
 fe38e8a00cdbfc7de5564d1e7b145269 837726 comm optional asterisk-dahdi_1.8.8.0~dfsg-1_amd64.deb
 cd6d273d49879a94d331581cfd5515c1 613882 comm optional asterisk-voicemail_1.8.8.0~dfsg-1_amd64.deb
 bc30f1378c7c7f10b3f9174475cec337 628874 comm optional asterisk-voicemail-imapstorage_1.8.8.0~dfsg-1_amd64.deb
 44598b85fe47282fd82d7bdc5bb721a1 620016 comm optional asterisk-voicemail-odbcstorage_1.8.8.0~dfsg-1_amd64.deb
 635a9132f7461157e5e50f82fe2c28dc 952234 comm optional asterisk-ooh423_1.8.8.0~dfsg-1_amd64.deb
 1163ce923ac39b7fdf2bf6b0f1a0c60a 554812 comm optional asterisk-mp3_1.8.8.0~dfsg-1_amd64.deb
 197666cff6b43f6d57a3968a1a7ebf60 578360 comm optional asterisk-mysql_1.8.8.0~dfsg-1_amd64.deb
 8049936f86a523fabfca95ad6f2f4800 568064 comm optional asterisk-mobile_1.8.8.0~dfsg-1_amd64.deb
 6322cfb753b98e501dcdb551fd6c5407 28869826 debug extra asterisk-dbg_1.8.8.0~dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk7uR7wACgkQxArWdkN9MouRfACcDebUOFOKrWZqTt931n5XNBQb
BRwAoKlV0I+ztyS7nCm+UQWcqERDgElu
=gq3c
-----END PGP SIGNATURE-----

Reply sent to Tzafrir Cohen <tzafrir@debian.org>:
You have taken responsibility. (Mon, 19 Dec 2011 20:03:13 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 19 Dec 2011 20:03:13 GMT) (full text, mbox, link).

Message #30 received at 651552-close@bugs.debian.org (full text, mbox, reply):

Source: asterisk
Source-Version: 1:1.6.2.9-2+squeeze4

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.2.9-2+squeeze4_all.deb
  to main/a/asterisk/asterisk-config_1.6.2.9-2+squeeze4_all.deb
asterisk-dbg_1.6.2.9-2+squeeze4_amd64.deb
  to main/a/asterisk/asterisk-dbg_1.6.2.9-2+squeeze4_amd64.deb
asterisk-dev_1.6.2.9-2+squeeze4_all.deb
  to main/a/asterisk/asterisk-dev_1.6.2.9-2+squeeze4_all.deb
asterisk-doc_1.6.2.9-2+squeeze4_all.deb
  to main/a/asterisk/asterisk-doc_1.6.2.9-2+squeeze4_all.deb
asterisk-h423_1.6.2.9-2+squeeze4_amd64.deb
  to main/a/asterisk/asterisk-h423_1.6.2.9-2+squeeze4_amd64.deb
asterisk-sounds-main_1.6.2.9-2+squeeze4_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.6.2.9-2+squeeze4_all.deb
asterisk_1.6.2.9-2+squeeze4.debian.tar.gz
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze4.debian.tar.gz
asterisk_1.6.2.9-2+squeeze4.dsc
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze4.dsc
asterisk_1.6.2.9-2+squeeze4_amd64.deb
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Dec 2011 22:20:47 +0200
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.6.2.9-2+squeeze4
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 630381 639821 651552
Changes: 
 asterisk (1:1.6.2.9-2+squeeze4) stable-security; urgency=high
 .
   [ Kilian Krause ]
   * Fix sporadic segfault in chan_sip.so (Closes: #630381).
 .
   [ Tzafrir Cohen ]
   * Patch fix_bridging_crash: segfault in bridging API (Closes: #639821).
   * README.Debian: clarify datadir pathes (regarding #628415).
   * Patch AST-2011-014 (CVE-2011-4598) - Remote crash possibility with
     SIP and the “automon” feature enabled Closes: #651552.
     inapplicable to Lenny).
   * Patch AST-2011-013 (CVE-2011-4597) : potential remote information
     disclosure.
     - The patch changeges the sample sip.conf . We change the sample
        config files, but not the files under /etc/asterisk .
Checksums-Sha1: 
 c5be337343bf1fdfc8537dcace620a506f5b404e 2219 asterisk_1.6.2.9-2+squeeze4.dsc
 88f09f46696d76da3182a621f2a0435ab6d31096 92986 asterisk_1.6.2.9-2+squeeze4.debian.tar.gz
 1a5f23d762ac55252ce1fb3c2cc5c7be6fb218cb 1704434 asterisk-doc_1.6.2.9-2+squeeze4_all.deb
 c0f8b0b083a6bde1bfe58403c9c2d4c14f778be4 635882 asterisk-dev_1.6.2.9-2+squeeze4_all.deb
 cc5b431cd1cb8e02545cc2dbef33be9901aec3f1 2187236 asterisk-sounds-main_1.6.2.9-2+squeeze4_all.deb
 7e5c42adcdc008acc729abf11cc6695eb1517321 716800 asterisk-config_1.6.2.9-2+squeeze4_all.deb
 ce74fb801fa9462b907a6ab1edc65e1264f6165b 3600274 asterisk_1.6.2.9-2+squeeze4_amd64.deb
 3cb43aca14d2792fe608baa44222c26cab15dd67 533538 asterisk-h423_1.6.2.9-2+squeeze4_amd64.deb
 64df681c09d2b41429a87831bff17496f12a0e90 20323722 asterisk-dbg_1.6.2.9-2+squeeze4_amd64.deb
Checksums-Sha256: 
 8edc53fc1ae66a12b81de36495f3b2d073ffd29b52d88102d64b05cde03334f2 2219 asterisk_1.6.2.9-2+squeeze4.dsc
 108b43cf9ee6ed135b3c3660dad8a3a972ed5520c3f80954841d2b4eef83de7c 92986 asterisk_1.6.2.9-2+squeeze4.debian.tar.gz
 49c05e837dce65f31aa367a884924bdcc9ca15b7487536bf7a5fa9d0d0a528d3 1704434 asterisk-doc_1.6.2.9-2+squeeze4_all.deb
 38a00056fddc169820cb1326e3ed48dd01f1466eb0115050a412f36e29702058 635882 asterisk-dev_1.6.2.9-2+squeeze4_all.deb
 e807ce19cca37f85cf9fabeb6804b2458465bc5cb96cd81427c535e7e4616ae6 2187236 asterisk-sounds-main_1.6.2.9-2+squeeze4_all.deb
 c13c563301c26b6c59b2825ec642196d39d67c9a4481cfc7d5dbd343b0632fbd 716800 asterisk-config_1.6.2.9-2+squeeze4_all.deb
 32d7a8e2cee32753020dc004631d90406594d48de4ef31b45aae45b89dc434d0 3600274 asterisk_1.6.2.9-2+squeeze4_amd64.deb
 a7b765b0480f0580d105f2fa0b858ebd60e4f1260066a7dd2f369f3e1828e227 533538 asterisk-h423_1.6.2.9-2+squeeze4_amd64.deb
 0fd3fc457bca9b99cce2269c745f59ddb53832fa0845c8deb90eca86d4ec6cc8 20323722 asterisk-dbg_1.6.2.9-2+squeeze4_amd64.deb
Files: 
 7d31f0a8254adf13750a1ed3440ddebd 2219 comm optional asterisk_1.6.2.9-2+squeeze4.dsc
 dfda06362d8880bbaab581932edd3f1d 92986 comm optional asterisk_1.6.2.9-2+squeeze4.debian.tar.gz
 10e021696fed0f30ef1fad8b4c835026 1704434 doc extra asterisk-doc_1.6.2.9-2+squeeze4_all.deb
 3145d8355ab47827aecb98460063f89c 635882 devel extra asterisk-dev_1.6.2.9-2+squeeze4_all.deb
 31adf6056c340d91cb12b1a181700308 2187236 comm optional asterisk-sounds-main_1.6.2.9-2+squeeze4_all.deb
 d40fc4a55901e88b07718d3ad49e27a0 716800 comm optional asterisk-config_1.6.2.9-2+squeeze4_all.deb
 847ec58aaaf81f3ecc6cc7e3a0ffed9f 3600274 comm optional asterisk_1.6.2.9-2+squeeze4_amd64.deb
 6bfd8e7564ee69faf143957dc7951728 533538 comm optional asterisk-h423_1.6.2.9-2+squeeze4_amd64.deb
 5f0518d65743311bdd8d0ace474ed559 20323722 debug extra asterisk-dbg_1.6.2.9-2+squeeze4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk7uVm0ACgkQxArWdkN9Mou0TQCgwAInyq1rGo94zXheC/OoQot0
+McAoJPlI8ydF6aI1tgEDaR/55Mipdcj
=TwRa
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#651552; Package src:asterisk. (Mon, 19 Dec 2011 21:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Mon, 19 Dec 2011 21:57:03 GMT) (full text, mbox, link).

Message #35 received at 651552@bugs.debian.org (full text, mbox, reply):

For the record (regarding the SIP nat issue alone):

Asterisk 1.6.22 was just released:

The release of Asterisk 1.6.2.22 corrects two flaws in sip.conf.sample
related to AST-2011-013:

* The sample file listed *two* values for the 'nat' option as being
  the default. Only 'yes' is the default.

* The warning about having differing 'nat' settings confusingly
  referred to both peers and users.



That said, I hope that what I wrote on README.Debian was clear enough,
regardless of the slightly confusing config file. Their warning was
completly reworded.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Reply sent to Tzafrir Cohen <tzafrir@debian.org>:
You have taken responsibility. (Mon, 26 Dec 2011 13:57:05 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 26 Dec 2011 13:57:06 GMT) (full text, mbox, link).

Message #40 received at 651552-close@bugs.debian.org (full text, mbox, reply):

Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny6

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.4.21.2~dfsg-3+lenny6_all.deb
  to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny6_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny6_amd64.deb
  to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny6_amd64.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny6_all.deb
  to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny6_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny6_all.deb
  to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny6_all.deb
asterisk-h423_1.4.21.2~dfsg-3+lenny6_amd64.deb
  to main/a/asterisk/asterisk-h423_1.4.21.2~dfsg-3+lenny6_amd64.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny6_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny6_all.deb
asterisk_1.4.21.2~dfsg-3+lenny6.diff.gz
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny6.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny6.dsc
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny6.dsc
asterisk_1.4.21.2~dfsg-3+lenny6_amd64.deb
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 18 Dec 2011 22:12:00 +0200
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.4.21.2~dfsg-3+lenny6
Distribution: oldstable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 651552
Changes: 
 asterisk (1:1.4.21.2~dfsg-3+lenny6) oldstable-security; urgency=high
 .
   * Patch AST-2011-013: potential remote information disclosure
     Closes: #651552 (CVE-2011-4597 The side issue. The DoS is
     inapplicable to Lenny).
     - The patch changeges the sample sip.conf . We change the sample
        config files, but not the files under /etc/asterisk .
Checksums-Sha1: 
 26a6bd291ea1b3cf0dd21e787cb5a413d6609124 1991 asterisk_1.4.21.2~dfsg-3+lenny6.dsc
 daf9e3aa347d2aaebec3278e516e19fce50d0ad5 164896 asterisk_1.4.21.2~dfsg-3+lenny6.diff.gz
 3552a482aefe1cbefc4d27778afe9b5b38798fbf 33065480 asterisk-doc_1.4.21.2~dfsg-3+lenny6_all.deb
 b40ab3281999cac20aebe712da6d78140fe40fd4 429736 asterisk-dev_1.4.21.2~dfsg-3+lenny6_all.deb
 0c97b30c6daaebdc46c1a3cb588384e3251398c6 1900274 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny6_all.deb
 391026beca1c811d7a4c6dc4b95377894a8c6492 485710 asterisk-config_1.4.21.2~dfsg-3+lenny6_all.deb
 ccba574f44b0a6bb16a52a3f598d690cfa049387 2625156 asterisk_1.4.21.2~dfsg-3+lenny6_amd64.deb
 4f8ad03de03345d082a310c728d4ab03aa7f1deb 398318 asterisk-h423_1.4.21.2~dfsg-3+lenny6_amd64.deb
 61f1de49d38fa5b85b33d84b941d4a46b7bb3b6c 13154410 asterisk-dbg_1.4.21.2~dfsg-3+lenny6_amd64.deb
Checksums-Sha256: 
 60f402246e21b9d5773acfcbef08de364f7f1362cd08d3f14734260cdf13841b 1991 asterisk_1.4.21.2~dfsg-3+lenny6.dsc
 23e062ab4e90e7fd6775b011400c5df1372153c0bb961a6b262c00dc0cd62a11 164896 asterisk_1.4.21.2~dfsg-3+lenny6.diff.gz
 8b403d5d51852091ad42a28b660823688329dec5ae2038073593494d96ada008 33065480 asterisk-doc_1.4.21.2~dfsg-3+lenny6_all.deb
 3907d70c264379b36b8db1c0286a4c148de66a2a52421383db70339cc5f41cf2 429736 asterisk-dev_1.4.21.2~dfsg-3+lenny6_all.deb
 5de6ed6cc043d18db9d8c87f3c65bf251af0b071ed5161206dfc918a7def938b 1900274 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny6_all.deb
 636587f8124ab39387b035b40510a2fe92221addf16c0b285eb97eaf243719d7 485710 asterisk-config_1.4.21.2~dfsg-3+lenny6_all.deb
 97397e210078974e03c27a13a3b26c6e76c113d2d94f3583d4777339c79a6cd3 2625156 asterisk_1.4.21.2~dfsg-3+lenny6_amd64.deb
 dfd0225c6dc6bd4f9d8a1835f5b7e249578633b8de805829b31943924e742a6b 398318 asterisk-h423_1.4.21.2~dfsg-3+lenny6_amd64.deb
 79cfc2b0c7e8ea1cab93465b8185b0bfb3092d4392e5fdb68ff17566f0ccaffa 13154410 asterisk-dbg_1.4.21.2~dfsg-3+lenny6_amd64.deb
Files: 
 aea3f19cf3a3cda76ef17b13ad2cf9a3 1991 comm optional asterisk_1.4.21.2~dfsg-3+lenny6.dsc
 558003ff9c25dfc36552174950353d2d 164896 comm optional asterisk_1.4.21.2~dfsg-3+lenny6.diff.gz
 0722f88fb1e225fb8f9c86169af81480 33065480 doc extra asterisk-doc_1.4.21.2~dfsg-3+lenny6_all.deb
 913f4b9b748211eac8e963b33fe17902 429736 devel extra asterisk-dev_1.4.21.2~dfsg-3+lenny6_all.deb
 9a43a82e62ca2eff565efe672ec841e2 1900274 comm optional asterisk-sounds-main_1.4.21.2~dfsg-3+lenny6_all.deb
 cd3f646e443a714ff8a5f79fb5c2d7da 485710 comm optional asterisk-config_1.4.21.2~dfsg-3+lenny6_all.deb
 3d913844a0326b9b012cb942054f6b80 2625156 comm optional asterisk_1.4.21.2~dfsg-3+lenny6_amd64.deb
 bfcad2fdf79970564e9e899ee95ff4fc 398318 comm optional asterisk-h423_1.4.21.2~dfsg-3+lenny6_amd64.deb
 61e570a39433c5d1720fae0034253ee9 13154410 devel extra asterisk-dbg_1.4.21.2~dfsg-3+lenny6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk7uVLYACgkQxArWdkN9MovRkwCgkzk6Enl217JFwdVNY32YL2Sc
MvoAoJHgWL7iSO8ljjD07/WY6N4E+GhP
=OIzX
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 20 Feb 2012 07:40:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:47:28 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

CVE-2011-4598: DoS

Debian Bug report logs - #651552
CVE-2011-4598: DoS

Vulmon Search

About

Products

Connect

CVE-2011-4598: DoS

Debian Bug report logs - #651552 CVE-2011-4598: DoS

Vulmon Search

About

Products

Connect

Debian Bug report logs - #651552
CVE-2011-4598: DoS