Debian Bug report logs -
#631445
asterisk; AST-2011-009 - crash on malformed SIP packet
Reported by: Tzafrir Cohen <tzafrir@debian.org>
Date: Thu, 23 Jun 2011 22:51:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version asterisk/1:1.8.4.2-1
Fixed in version asterisk/1:1.8.4.3-1
Done: Tzafrir Cohen <tzafrir@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#631445; Package asterisk.
(Thu, 23 Jun 2011 22:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tzafrir Cohen <tzafrir@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Thu, 23 Jun 2011 22:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: asterisk
Version: 1:1.8.4.2-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
A remote user sending a SIP packet containing a Contact header with a
missing left angle bracket (<) causes Asterisk to access a null pointer.
This applies only to Asterisk 1.8 in Wheezy/Sid and not to the versions
in Squeeze and in Lenny.
For more information, see
http://downloads.asterisk.org/pub/security/AST-2011-009.html
Reply sent
to Tzafrir Cohen <tzafrir@debian.org>:
You have taken responsibility.
(Fri, 24 Jun 2011 15:21:08 GMT) (full text, mbox, link).
Notification sent
to Tzafrir Cohen <tzafrir@debian.org>:
Bug acknowledged by developer.
(Fri, 24 Jun 2011 15:21:08 GMT) (full text, mbox, link).
Message #10 received at 631445-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.8.4.3-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.8.4.3-1_all.deb
to main/a/asterisk/asterisk-config_1.8.4.3-1_all.deb
asterisk-dahdi_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-dahdi_1.8.4.3-1_amd64.deb
asterisk-dbg_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-dbg_1.8.4.3-1_amd64.deb
asterisk-dev_1.8.4.3-1_all.deb
to main/a/asterisk/asterisk-dev_1.8.4.3-1_all.deb
asterisk-doc_1.8.4.3-1_all.deb
to main/a/asterisk/asterisk-doc_1.8.4.3-1_all.deb
asterisk-h423_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-h423_1.8.4.3-1_amd64.deb
asterisk-mobile_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-mobile_1.8.4.3-1_amd64.deb
asterisk-modules_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-modules_1.8.4.3-1_amd64.deb
asterisk-mp3_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-mp3_1.8.4.3-1_amd64.deb
asterisk-mysql_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-mysql_1.8.4.3-1_amd64.deb
asterisk-ooh423_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-ooh423_1.8.4.3-1_amd64.deb
asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
asterisk-voicemail_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk-voicemail_1.8.4.3-1_amd64.deb
asterisk_1.8.4.3-1.debian.tar.gz
to main/a/asterisk/asterisk_1.8.4.3-1.debian.tar.gz
asterisk_1.8.4.3-1.dsc
to main/a/asterisk/asterisk_1.8.4.3-1.dsc
asterisk_1.8.4.3-1_amd64.deb
to main/a/asterisk/asterisk_1.8.4.3-1_amd64.deb
asterisk_1.8.4.3.orig.tar.gz
to main/a/asterisk/asterisk_1.8.4.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 24 Jun 2011 00:51:49 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-h423 asterisk-dahdi asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.4.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h423 - H.323 protocol support for the Asterisk PBX
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX (DUMMY)
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
Closes: 631445 631446 631448
Changes:
asterisk (1:1.8.4.3-1) unstable; urgency=high
.
* New upstream point release, fixes 3 remotely-explitables (of sort) bugs:
- AST-2011-008, CVE-2011-2529 (Closes: #631446)
- AST-2011-009 (Closes: #631445)
- AST-2011-010, CVE-2011-2535 (Closes: #631448)
Checksums-Sha1:
1727101497e66ce91bac8c59144008d0713db0da 2483 asterisk_1.8.4.3-1.dsc
bebb82a19b86817a3ae62b7495991af480cdaad8 27327187 asterisk_1.8.4.3.orig.tar.gz
a12c0885fe3f1213256d846934433617f8263370 111140 asterisk_1.8.4.3-1.debian.tar.gz
339a3036f639c5b02c2eeac18e6251e4ce71e433 4576012 asterisk-doc_1.8.4.3-1_all.deb
ce0aaf3061b2572510132b5e4aa5faf258ed4605 792024 asterisk-dev_1.8.4.3-1_all.deb
3131965d3ea38427f45dc130792f159584902068 842674 asterisk-config_1.8.4.3-1_all.deb
e9893391b4c6bb2b7de1a7bbab53ab91f31f94a8 1565608 asterisk_1.8.4.3-1_amd64.deb
b49f34d508a60f58865dcf954fe8ed4d6bf1db34 2558180 asterisk-modules_1.8.4.3-1_amd64.deb
9ac1ae3f3439358a4548d25b0b251cce8d2e14cb 603394 asterisk-h423_1.8.4.3-1_amd64.deb
01ffb322c9109417238d1e9c1f987508bd91bc6c 734880 asterisk-dahdi_1.8.4.3-1_amd64.deb
0169ef23abdc4c37c6a73ad995b8ce8b414eee74 529762 asterisk-voicemail_1.8.4.3-1_amd64.deb
86491509fc3c5d776a89273112654dc14cf66f60 544690 asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
137f498b6d863b18952d6d184cc95358c68563a5 535310 asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
3c45706cbf47e831968471b045d27f0211a889b9 869302 asterisk-ooh423_1.8.4.3-1_amd64.deb
23e4c65810eb44588b806db24443cf070d889b94 473306 asterisk-mp3_1.8.4.3-1_amd64.deb
e220af42d1482d5fde40997b127d9f0bf6c6d916 496998 asterisk-mysql_1.8.4.3-1_amd64.deb
3afa735081692b3e8eec55aa25a2413e71e49530 486936 asterisk-mobile_1.8.4.3-1_amd64.deb
7815e127029d7f56e8f3bc42ced815a6da489294 28679128 asterisk-dbg_1.8.4.3-1_amd64.deb
Checksums-Sha256:
51adac4548fa104de55ade80c512732ae4497422ae05534a13a6bd236cced32b 2483 asterisk_1.8.4.3-1.dsc
3aa85798f2ec125f03a997e6359245ebc6b06c6ae5a2a80945707a79216a3c1f 27327187 asterisk_1.8.4.3.orig.tar.gz
40bbd60bb85f3ded1cff26b6ad3b1f4706c4dae5536d207c9baef12da8be3e27 111140 asterisk_1.8.4.3-1.debian.tar.gz
411fd0bad223623e373a8455e12d167c13ea33944ee21d25ae8f502014606a1b 4576012 asterisk-doc_1.8.4.3-1_all.deb
43994d091163ba48061cb271d563e04dc5683c1638cac61b453ca1cd0d377bdd 792024 asterisk-dev_1.8.4.3-1_all.deb
c509e7c7caea1e0020d265558432cbd344fb0b761e3f0e2965a22b5872ff5d11 842674 asterisk-config_1.8.4.3-1_all.deb
8f171e17d6c4adda64e142e8607e4cdca8328dc5e3edcb8d1ce25464d6733745 1565608 asterisk_1.8.4.3-1_amd64.deb
8081f0f031e3f09f3f12ea036dbcd1e5a97b99608832ae499ca4e6c581860632 2558180 asterisk-modules_1.8.4.3-1_amd64.deb
85670f72dd5b4307fc09e97337042994232ec2a5305f71fc5913e0fd0fce2b46 603394 asterisk-h423_1.8.4.3-1_amd64.deb
763f393f0bdddcede140dd83f98c49231286b41637cb90fd409c4d10a49dd5c3 734880 asterisk-dahdi_1.8.4.3-1_amd64.deb
23ab338761c4ea1f8b689639343408fd4c2dd9acaaeb24cc1de09f99c06316ca 529762 asterisk-voicemail_1.8.4.3-1_amd64.deb
be4d84977a1464ed8cb7a2ba4063b890b7ea89d87a3c717cf872e4088b6cb35e 544690 asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
f5d2f6ab48e6af2cdef599400a284dbce3da03861e5ddfe906491b9874529663 535310 asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
2642ea9368aa5949c19f45c6ec81e51f3809c99aec01951fc63af3ef2aceda64 869302 asterisk-ooh423_1.8.4.3-1_amd64.deb
649a7492ab6b6e23dd5cd5348e004b396a593ca609d803fe1fddbd68f97a2666 473306 asterisk-mp3_1.8.4.3-1_amd64.deb
1e4cf1373ddf8273d09dfa9c1bec0855e12eafb40bf565e47514811f0e9e4397 496998 asterisk-mysql_1.8.4.3-1_amd64.deb
f7a65f1b9c043d6c689f1919276197f5f7a871932e3ab962e0f4699a13918e12 486936 asterisk-mobile_1.8.4.3-1_amd64.deb
cd97d3842832cde488da6ccd3c125ae3ad1b30fe14404fb2ba3dafdaa7d0f572 28679128 asterisk-dbg_1.8.4.3-1_amd64.deb
Files:
128c9a48402694906dfbe4060b1a8a5b 2483 comm optional asterisk_1.8.4.3-1.dsc
bae6240682736ebbcd3596bc6cc1ad14 27327187 comm optional asterisk_1.8.4.3.orig.tar.gz
71613fc9c994f79246bd7586e7ae9122 111140 comm optional asterisk_1.8.4.3-1.debian.tar.gz
043177c3c0cc5bda6caebc13ee561c26 4576012 doc extra asterisk-doc_1.8.4.3-1_all.deb
12220525536a8b89599eda9e86417496 792024 devel extra asterisk-dev_1.8.4.3-1_all.deb
e9ab1f4fbb0422b2d0fd06f87a70a6c1 842674 comm optional asterisk-config_1.8.4.3-1_all.deb
614cc47bb4a3bbfd239e894921ddb241 1565608 comm optional asterisk_1.8.4.3-1_amd64.deb
04a5f189b36c63d3a21046d238d1b4ca 2558180 libs optional asterisk-modules_1.8.4.3-1_amd64.deb
ec48469eff539d2742561ebea023d766 603394 comm optional asterisk-h423_1.8.4.3-1_amd64.deb
ce7986cb38348659c5731e4d89e8d17b 734880 comm optional asterisk-dahdi_1.8.4.3-1_amd64.deb
32d13769232582b837b882308dff9099 529762 comm optional asterisk-voicemail_1.8.4.3-1_amd64.deb
8ce03a8773d1d6d36f11f46812e81c2c 544690 comm optional asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
f4f8cadf557a97006b18bfbe686121fd 535310 comm optional asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
a2eb97b07f245f464a14c4d2e4b78d5d 869302 comm optional asterisk-ooh423_1.8.4.3-1_amd64.deb
cdfbe13c96c9bc9055e5e2243d7ddcc6 473306 comm optional asterisk-mp3_1.8.4.3-1_amd64.deb
8ef9db8aef1f34b532c34b9aa8509b1b 496998 comm optional asterisk-mysql_1.8.4.3-1_amd64.deb
df2ad88a96e127bb90873a6f1d63aaaa 486936 comm optional asterisk-mobile_1.8.4.3-1_amd64.deb
53ca9e78a905d9bca7232b7df5e2151d 28679128 debug extra asterisk-dbg_1.8.4.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk4Eo+MACgkQxArWdkN9MosFOACcCIIB9dG6cgEGtFTQfCnXdFCZ
fvgAoKhVh8tOlMif0CSTPLSQYoZBWTzN
=xiQ0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jul 2011 07:35:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:24:03 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon