asterisk: AST-2011-008 (CVE-2011-2529) - remote unauthenticated (null character)

Debian Bug report logs - #631446
asterisk: AST-2011-008 (CVE-2011-2529) - remote unauthenticated (null character)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: asterisk: AST-2011-008 (CVE-2011-2529) - remote unauthenticated (null character)

Date: Fri, 24 Jun 2011 01:41:06 +0300

Package: asterisk
Version: 1:1.8.4.2-1
Severity: grave
Tags: security upstream patch
Justification: user security hole

If a remote user sends a SIP packet containing a null, Asterisk assumes
available data extends past the null to the end of the packet when the
buffer is actually truncated when copied.  This causes SIP header
parsing to modify data past the end of the buffer altering unrelated
memory structures.  This vulnerability does not affect TCP/TLS
connections.

Issue applies to the versions in Squeeze and Wheezy/Sid, but not to
Asterisk version 1.4 in Lenny.

For more information, see 
http://downloads.asterisk.org/pub/security/AST-2011-008.html
(for patches as well)

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=he_IL.UTF-8, LC_CTYPE=he_IL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages asterisk depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  asterisk-config     1:1.8.4.2-1          Configuration files for Asterisk
ii  asterisk-modules    1:1.8.4.2-1          loadable modules for the Asterisk 
ii  asterisk-sounds-mai 1:1.6.2.9-2+squeeze1 Core Sound files for Asterisk (Eng
ii  libc6               2.13-4               Embedded GNU C Library: Shared lib
ii  libcap2             1:2.21-1             support for getting/setting POSIX.
ii  libgcc1             1:4.6.0-10           GCC support library
ii  libncurses5         5.9-1                shared libraries for terminal hand
ii  libssl1.0.0         1.0.0d-2             SSL shared libraries
ii  libstdc++6          4.6.0-10             The GNU Standard C++ Library v3
ii  libxml2             2.7.8.dfsg-3         GNOME XML library

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm     2.03-1      asterisk extra sound files - Engli
ii  asterisk-voicemail           1:1.8.4.2-1 simple voicemail support for the A
ii  sox                          14.3.2-1    Swiss army knife of sound processi

Versions of packages asterisk suggests:
pn  asterisk-dahdi               <none>      (no description available)
ii  asterisk-dev                 1:1.8.4.2-1 Development files for Asterisk
ii  asterisk-doc                 1:1.8.4.2-1 Source code documentation for Aste
pn  asterisk-ooh423              <none>      (no description available)

-- no debconf information

Message #10 received at 631446-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: 631446-close@bugs.debian.org

Subject: Bug#631446: fixed in asterisk 1:1.8.4.3-1

Date: Fri, 24 Jun 2011 15:17:42 +0000

Source: asterisk
Source-Version: 1:1.8.4.3-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.8.4.3-1_all.deb
  to main/a/asterisk/asterisk-config_1.8.4.3-1_all.deb
asterisk-dahdi_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-dahdi_1.8.4.3-1_amd64.deb
asterisk-dbg_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-dbg_1.8.4.3-1_amd64.deb
asterisk-dev_1.8.4.3-1_all.deb
  to main/a/asterisk/asterisk-dev_1.8.4.3-1_all.deb
asterisk-doc_1.8.4.3-1_all.deb
  to main/a/asterisk/asterisk-doc_1.8.4.3-1_all.deb
asterisk-h423_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-h423_1.8.4.3-1_amd64.deb
asterisk-mobile_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-mobile_1.8.4.3-1_amd64.deb
asterisk-modules_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-modules_1.8.4.3-1_amd64.deb
asterisk-mp3_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-mp3_1.8.4.3-1_amd64.deb
asterisk-mysql_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-mysql_1.8.4.3-1_amd64.deb
asterisk-ooh423_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-ooh423_1.8.4.3-1_amd64.deb
asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
asterisk-voicemail_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk-voicemail_1.8.4.3-1_amd64.deb
asterisk_1.8.4.3-1.debian.tar.gz
  to main/a/asterisk/asterisk_1.8.4.3-1.debian.tar.gz
asterisk_1.8.4.3-1.dsc
  to main/a/asterisk/asterisk_1.8.4.3-1.dsc
asterisk_1.8.4.3-1_amd64.deb
  to main/a/asterisk/asterisk_1.8.4.3-1_amd64.deb
asterisk_1.8.4.3.orig.tar.gz
  to main/a/asterisk/asterisk_1.8.4.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 24 Jun 2011 00:51:49 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-h423 asterisk-dahdi asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.4.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for the Asterisk PBX
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX (DUMMY)
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
Closes: 631445 631446 631448
Changes: 
 asterisk (1:1.8.4.3-1) unstable; urgency=high
 .
   * New upstream point release, fixes 3 remotely-explitables (of sort) bugs:
     - AST-2011-008, CVE-2011-2529 (Closes: #631446)
     - AST-2011-009 (Closes: #631445)
     - AST-2011-010, CVE-2011-2535 (Closes: #631448)
Checksums-Sha1: 
 1727101497e66ce91bac8c59144008d0713db0da 2483 asterisk_1.8.4.3-1.dsc
 bebb82a19b86817a3ae62b7495991af480cdaad8 27327187 asterisk_1.8.4.3.orig.tar.gz
 a12c0885fe3f1213256d846934433617f8263370 111140 asterisk_1.8.4.3-1.debian.tar.gz
 339a3036f639c5b02c2eeac18e6251e4ce71e433 4576012 asterisk-doc_1.8.4.3-1_all.deb
 ce0aaf3061b2572510132b5e4aa5faf258ed4605 792024 asterisk-dev_1.8.4.3-1_all.deb
 3131965d3ea38427f45dc130792f159584902068 842674 asterisk-config_1.8.4.3-1_all.deb
 e9893391b4c6bb2b7de1a7bbab53ab91f31f94a8 1565608 asterisk_1.8.4.3-1_amd64.deb
 b49f34d508a60f58865dcf954fe8ed4d6bf1db34 2558180 asterisk-modules_1.8.4.3-1_amd64.deb
 9ac1ae3f3439358a4548d25b0b251cce8d2e14cb 603394 asterisk-h423_1.8.4.3-1_amd64.deb
 01ffb322c9109417238d1e9c1f987508bd91bc6c 734880 asterisk-dahdi_1.8.4.3-1_amd64.deb
 0169ef23abdc4c37c6a73ad995b8ce8b414eee74 529762 asterisk-voicemail_1.8.4.3-1_amd64.deb
 86491509fc3c5d776a89273112654dc14cf66f60 544690 asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
 137f498b6d863b18952d6d184cc95358c68563a5 535310 asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
 3c45706cbf47e831968471b045d27f0211a889b9 869302 asterisk-ooh423_1.8.4.3-1_amd64.deb
 23e4c65810eb44588b806db24443cf070d889b94 473306 asterisk-mp3_1.8.4.3-1_amd64.deb
 e220af42d1482d5fde40997b127d9f0bf6c6d916 496998 asterisk-mysql_1.8.4.3-1_amd64.deb
 3afa735081692b3e8eec55aa25a2413e71e49530 486936 asterisk-mobile_1.8.4.3-1_amd64.deb
 7815e127029d7f56e8f3bc42ced815a6da489294 28679128 asterisk-dbg_1.8.4.3-1_amd64.deb
Checksums-Sha256: 
 51adac4548fa104de55ade80c512732ae4497422ae05534a13a6bd236cced32b 2483 asterisk_1.8.4.3-1.dsc
 3aa85798f2ec125f03a997e6359245ebc6b06c6ae5a2a80945707a79216a3c1f 27327187 asterisk_1.8.4.3.orig.tar.gz
 40bbd60bb85f3ded1cff26b6ad3b1f4706c4dae5536d207c9baef12da8be3e27 111140 asterisk_1.8.4.3-1.debian.tar.gz
 411fd0bad223623e373a8455e12d167c13ea33944ee21d25ae8f502014606a1b 4576012 asterisk-doc_1.8.4.3-1_all.deb
 43994d091163ba48061cb271d563e04dc5683c1638cac61b453ca1cd0d377bdd 792024 asterisk-dev_1.8.4.3-1_all.deb
 c509e7c7caea1e0020d265558432cbd344fb0b761e3f0e2965a22b5872ff5d11 842674 asterisk-config_1.8.4.3-1_all.deb
 8f171e17d6c4adda64e142e8607e4cdca8328dc5e3edcb8d1ce25464d6733745 1565608 asterisk_1.8.4.3-1_amd64.deb
 8081f0f031e3f09f3f12ea036dbcd1e5a97b99608832ae499ca4e6c581860632 2558180 asterisk-modules_1.8.4.3-1_amd64.deb
 85670f72dd5b4307fc09e97337042994232ec2a5305f71fc5913e0fd0fce2b46 603394 asterisk-h423_1.8.4.3-1_amd64.deb
 763f393f0bdddcede140dd83f98c49231286b41637cb90fd409c4d10a49dd5c3 734880 asterisk-dahdi_1.8.4.3-1_amd64.deb
 23ab338761c4ea1f8b689639343408fd4c2dd9acaaeb24cc1de09f99c06316ca 529762 asterisk-voicemail_1.8.4.3-1_amd64.deb
 be4d84977a1464ed8cb7a2ba4063b890b7ea89d87a3c717cf872e4088b6cb35e 544690 asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
 f5d2f6ab48e6af2cdef599400a284dbce3da03861e5ddfe906491b9874529663 535310 asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
 2642ea9368aa5949c19f45c6ec81e51f3809c99aec01951fc63af3ef2aceda64 869302 asterisk-ooh423_1.8.4.3-1_amd64.deb
 649a7492ab6b6e23dd5cd5348e004b396a593ca609d803fe1fddbd68f97a2666 473306 asterisk-mp3_1.8.4.3-1_amd64.deb
 1e4cf1373ddf8273d09dfa9c1bec0855e12eafb40bf565e47514811f0e9e4397 496998 asterisk-mysql_1.8.4.3-1_amd64.deb
 f7a65f1b9c043d6c689f1919276197f5f7a871932e3ab962e0f4699a13918e12 486936 asterisk-mobile_1.8.4.3-1_amd64.deb
 cd97d3842832cde488da6ccd3c125ae3ad1b30fe14404fb2ba3dafdaa7d0f572 28679128 asterisk-dbg_1.8.4.3-1_amd64.deb
Files: 
 128c9a48402694906dfbe4060b1a8a5b 2483 comm optional asterisk_1.8.4.3-1.dsc
 bae6240682736ebbcd3596bc6cc1ad14 27327187 comm optional asterisk_1.8.4.3.orig.tar.gz
 71613fc9c994f79246bd7586e7ae9122 111140 comm optional asterisk_1.8.4.3-1.debian.tar.gz
 043177c3c0cc5bda6caebc13ee561c26 4576012 doc extra asterisk-doc_1.8.4.3-1_all.deb
 12220525536a8b89599eda9e86417496 792024 devel extra asterisk-dev_1.8.4.3-1_all.deb
 e9ab1f4fbb0422b2d0fd06f87a70a6c1 842674 comm optional asterisk-config_1.8.4.3-1_all.deb
 614cc47bb4a3bbfd239e894921ddb241 1565608 comm optional asterisk_1.8.4.3-1_amd64.deb
 04a5f189b36c63d3a21046d238d1b4ca 2558180 libs optional asterisk-modules_1.8.4.3-1_amd64.deb
 ec48469eff539d2742561ebea023d766 603394 comm optional asterisk-h423_1.8.4.3-1_amd64.deb
 ce7986cb38348659c5731e4d89e8d17b 734880 comm optional asterisk-dahdi_1.8.4.3-1_amd64.deb
 32d13769232582b837b882308dff9099 529762 comm optional asterisk-voicemail_1.8.4.3-1_amd64.deb
 8ce03a8773d1d6d36f11f46812e81c2c 544690 comm optional asterisk-voicemail-imapstorage_1.8.4.3-1_amd64.deb
 f4f8cadf557a97006b18bfbe686121fd 535310 comm optional asterisk-voicemail-odbcstorage_1.8.4.3-1_amd64.deb
 a2eb97b07f245f464a14c4d2e4b78d5d 869302 comm optional asterisk-ooh423_1.8.4.3-1_amd64.deb
 cdfbe13c96c9bc9055e5e2243d7ddcc6 473306 comm optional asterisk-mp3_1.8.4.3-1_amd64.deb
 8ef9db8aef1f34b532c34b9aa8509b1b 496998 comm optional asterisk-mysql_1.8.4.3-1_amd64.deb
 df2ad88a96e127bb90873a6f1d63aaaa 486936 comm optional asterisk-mobile_1.8.4.3-1_amd64.deb
 53ca9e78a905d9bca7232b7df5e2151d 28679128 debug extra asterisk-dbg_1.8.4.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk4Eo+MACgkQxArWdkN9MosFOACcCIIB9dG6cgEGtFTQfCnXdFCZ
fvgAoKhVh8tOlMif0CSTPLSQYoZBWTzN
=xiQ0
-----END PGP SIGNATURE-----

Message #15 received at 631446-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: 631446-close@bugs.debian.org

Subject: Bug#631446: fixed in asterisk 1:1.6.2.9-2+squeeze3

Date: Sun, 10 Jul 2011 19:55:19 +0000

Source: asterisk
Source-Version: 1:1.6.2.9-2+squeeze3

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.2.9-2+squeeze3_all.deb
  to main/a/asterisk/asterisk-config_1.6.2.9-2+squeeze3_all.deb
asterisk-dbg_1.6.2.9-2+squeeze3_amd64.deb
  to main/a/asterisk/asterisk-dbg_1.6.2.9-2+squeeze3_amd64.deb
asterisk-dev_1.6.2.9-2+squeeze3_all.deb
  to main/a/asterisk/asterisk-dev_1.6.2.9-2+squeeze3_all.deb
asterisk-doc_1.6.2.9-2+squeeze3_all.deb
  to main/a/asterisk/asterisk-doc_1.6.2.9-2+squeeze3_all.deb
asterisk-h423_1.6.2.9-2+squeeze3_amd64.deb
  to main/a/asterisk/asterisk-h423_1.6.2.9-2+squeeze3_amd64.deb
asterisk-sounds-main_1.6.2.9-2+squeeze3_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.6.2.9-2+squeeze3_all.deb
asterisk_1.6.2.9-2+squeeze3.debian.tar.gz
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze3.debian.tar.gz
asterisk_1.6.2.9-2+squeeze3.dsc
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze3.dsc
asterisk_1.6.2.9-2+squeeze3_amd64.deb
  to main/a/asterisk/asterisk_1.6.2.9-2+squeeze3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 01 Jul 2011 14:57:12 +0300
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.6.2.9-2+squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 631446 631448 632029
Changes: 
 asterisk (1:1.6.2.9-2+squeeze3) stable-security; urgency=high
 .
   * Patch AST-2011-008 (CVE-2011-2529) - crash on a malformed SIP packet
    (Closes: 631446).
   * Patch AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote
     pointer (closes: #631448).
   * AST-2011-011 (CVE-2011-2536): Don't leak SIP username information
     (closes: #632029)
Checksums-Sha1: 
 668a7965327e738409724439409271043f98cd0f 2172 asterisk_1.6.2.9-2+squeeze3.dsc
 c9399540bfecce7641a5d175f4dcfdfca82fe4df 87717 asterisk_1.6.2.9-2+squeeze3.debian.tar.gz
 5dc6941df1ad8b9227cce039890a181c48e468a6 1703900 asterisk-doc_1.6.2.9-2+squeeze3_all.deb
 a8de3f15a777eb1defb6e738202652ff5b19edc6 635634 asterisk-dev_1.6.2.9-2+squeeze3_all.deb
 fc319cdbe3a9f7b345a416035b2f123b419baebe 2186984 asterisk-sounds-main_1.6.2.9-2+squeeze3_all.deb
 46e6e1dee3525a8bf3d39ed7f48f03f141556072 716492 asterisk-config_1.6.2.9-2+squeeze3_all.deb
 a2d551bf1ccef54331c6b51ac6679e62cc997124 3598922 asterisk_1.6.2.9-2+squeeze3_amd64.deb
 6e2a42524f51e504220be6d0a01c28356de16b7a 533238 asterisk-h423_1.6.2.9-2+squeeze3_amd64.deb
 f30d5a86624c4c4dfad26b9a1518b060d6ee5059 20322998 asterisk-dbg_1.6.2.9-2+squeeze3_amd64.deb
Checksums-Sha256: 
 6e4e925e9dff4e55de2d573cf677cb0f0ad9b7cb02b2bc453b199434badeba3c 2172 asterisk_1.6.2.9-2+squeeze3.dsc
 ee7d4e72814b9c2f10fa46c206aa26e7ba8cd9e2cbfb1162445703fd05d90a89 87717 asterisk_1.6.2.9-2+squeeze3.debian.tar.gz
 3892883a7bbf3dce79181e83eb09b4c719e5330013b103515718ea1149b0d3ea 1703900 asterisk-doc_1.6.2.9-2+squeeze3_all.deb
 16b15a4539fd62e334ea3a630728c8573890c4f3d1099d0b53a17d81df021c0e 635634 asterisk-dev_1.6.2.9-2+squeeze3_all.deb
 76d69df1351c00beaa0fe1ec356f3344e170e78dea82b9106f5d26546df88319 2186984 asterisk-sounds-main_1.6.2.9-2+squeeze3_all.deb
 6ed9c028e06676f9e43b994be9451f1e07348ba937d403e62d483204a0ff5e05 716492 asterisk-config_1.6.2.9-2+squeeze3_all.deb
 9749f838c942f600c643d67a2129e5bc8ac4f3e7c039f1445f78e353681edabe 3598922 asterisk_1.6.2.9-2+squeeze3_amd64.deb
 ef37ce74f84eef8bb64b6ad077ba81f1a4e30c4a4830fa27e47cc556a6866f03 533238 asterisk-h423_1.6.2.9-2+squeeze3_amd64.deb
 b80cb7dd2277ceede3255dfc051ba2a32e4f5571d54c875bafe4484532d2751d 20322998 asterisk-dbg_1.6.2.9-2+squeeze3_amd64.deb
Files: 
 71e40e858a86dc11faa37924b72d8927 2172 comm optional asterisk_1.6.2.9-2+squeeze3.dsc
 df9a679adeccc131c5050323791f714c 87717 comm optional asterisk_1.6.2.9-2+squeeze3.debian.tar.gz
 93649a6589a3cdc23882e3abd33f64c1 1703900 doc extra asterisk-doc_1.6.2.9-2+squeeze3_all.deb
 8ebf76d4f455a9e2225c26efbc3998ad 635634 devel extra asterisk-dev_1.6.2.9-2+squeeze3_all.deb
 158b5c125eab5f603dee8d26ffb7db55 2186984 comm optional asterisk-sounds-main_1.6.2.9-2+squeeze3_all.deb
 8dac83eab70310bf273a4a57d4f44d78 716492 comm optional asterisk-config_1.6.2.9-2+squeeze3_all.deb
 71a284e43d07e5fbbbabe02ff596db9e 3598922 comm optional asterisk_1.6.2.9-2+squeeze3_amd64.deb
 8c43ba91f624491a25e4442cd4edf63b 533238 comm optional asterisk-h423_1.6.2.9-2+squeeze3_amd64.deb
 334d236b647db7e598b212e5a4bc93c8 20322998 debug extra asterisk-dbg_1.6.2.9-2+squeeze3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk4VdkAACgkQxArWdkN9MosdVQCfdFgX9/ImAoMtj9GNxAgM/t0h
SwEAoJL1FxazdBLh8qnTVP0WoEz0XuFV
=qyoo
-----END PGP SIGNATURE-----

Message #20 received at 631446-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: 631446-close@bugs.debian.org

Subject: Bug#631446: fixed in asterisk 1:1.4.21.2~dfsg-3+lenny3

Date: Tue, 26 Jul 2011 01:54:16 +0000

Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny3

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.4.21.2~dfsg-3+lenny3_all.deb
  to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny3_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny3_amd64.deb
  to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny3_amd64.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny3_all.deb
  to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny3_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny3_all.deb
  to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny3_all.deb
asterisk-h423_1.4.21.2~dfsg-3+lenny3_amd64.deb
  to main/a/asterisk/asterisk-h423_1.4.21.2~dfsg-3+lenny3_amd64.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny3_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny3_all.deb
asterisk_1.4.21.2~dfsg-3+lenny3.diff.gz
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny3.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny3.dsc
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny3.dsc
asterisk_1.4.21.2~dfsg-3+lenny3_amd64.deb
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 05 Jul 2011 00:08:08 +0300
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.4.21.2~dfsg-3+lenny3
Distribution: oldstable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h423 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 631446 631448 632029
Changes: 
 asterisk (1:1.4.21.2~dfsg-3+lenny3) oldstable-security; urgency=high
 .
   * Patch AST-2011-008 (CVE-2011-2529) - crash on a malformed SIP packet
    (Closes: 631446).
   * AST-2011-010 (CVE-2011-2535): crash due to dereferencing a remote pointer
     (closes: #631448)
   * AST-2011-011 (CVE-2011-2536): Don't leak SIP username information
     (closes: #632029)
Checksums-Sha1: 
 025c04d1dfcdb6381e2c322afaf389b63d06956c 1979 asterisk_1.4.21.2~dfsg-3+lenny3.dsc
 9d8cfa8c8e0f3738ca6072fa0459755a7d77151a 160745 asterisk_1.4.21.2~dfsg-3+lenny3.diff.gz
 606cf06f5c81f0e1e349fefdf2c48f298b88cdd7 33072526 asterisk-doc_1.4.21.2~dfsg-3+lenny3_all.deb
 cfbb5c0bfe1496cdbf1e762c0e209de9e9f9acdf 429584 asterisk-dev_1.4.21.2~dfsg-3+lenny3_all.deb
 e7c0fa765b7a2021bfba3c01a095cdab9c9b12e8 1900114 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny3_all.deb
 adb78d3daba3dd9fcbc80ba0bd8f946224e83b67 485382 asterisk-config_1.4.21.2~dfsg-3+lenny3_all.deb
 0f226bac20fdafadfd090a3fbb945ad177e257c7 2624164 asterisk_1.4.21.2~dfsg-3+lenny3_amd64.deb
 b442e3d2fb81d0bc0dd9e7f9b11b4405a5f363cd 398148 asterisk-h423_1.4.21.2~dfsg-3+lenny3_amd64.deb
 c803e9ec4bdd8b793750c5ba128674a8975652e3 13153944 asterisk-dbg_1.4.21.2~dfsg-3+lenny3_amd64.deb
Checksums-Sha256: 
 b2e9a5f224ea62933ead7cf7e8afb1ac0ae7080dbf0e71860c958dcd42d283f5 1979 asterisk_1.4.21.2~dfsg-3+lenny3.dsc
 37f17774b1a2432f025ff44b1932816668fdc8adcf23aae1457eee132c0dbb51 160745 asterisk_1.4.21.2~dfsg-3+lenny3.diff.gz
 a4eab28bdd1f31b971f2dab8dab742bc78fd13e6ccdd7273646d2dd0c0606931 33072526 asterisk-doc_1.4.21.2~dfsg-3+lenny3_all.deb
 1290a6a2d8a261a6f8eaeaf1962d76b8116e9cc302711686fcf8a4294fc143e8 429584 asterisk-dev_1.4.21.2~dfsg-3+lenny3_all.deb
 06fb50bbe29c494089bafae0e0585b152aff596c1678311d4271cbab0d59d29a 1900114 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny3_all.deb
 3db2d6f38165b4d623021dedc0a1fa296be9af218f2fcaf9a28a945b32d0b9e3 485382 asterisk-config_1.4.21.2~dfsg-3+lenny3_all.deb
 50c453a84babc4e294532895dd4811f550fe8c07cc044985f345b5f614412f2d 2624164 asterisk_1.4.21.2~dfsg-3+lenny3_amd64.deb
 2761c4b74df70c01b135b16476aab9d5040dbab368fec094b854c50b2b5d5948 398148 asterisk-h423_1.4.21.2~dfsg-3+lenny3_amd64.deb
 bacb37c3efb680d79f5f4868b25511b82bed510ff47de8b180d8017d7306a8d1 13153944 asterisk-dbg_1.4.21.2~dfsg-3+lenny3_amd64.deb
Files: 
 9339f7b7eb664596f98add5a3bca70bc 1979 comm optional asterisk_1.4.21.2~dfsg-3+lenny3.dsc
 dcea9f2d1a6aca93bee0c3d40e63ed65 160745 comm optional asterisk_1.4.21.2~dfsg-3+lenny3.diff.gz
 3031b861d3e96ea05c1df2a608e1b552 33072526 doc extra asterisk-doc_1.4.21.2~dfsg-3+lenny3_all.deb
 2b7aada10a778d52fe1d6dcafa10a66c 429584 devel extra asterisk-dev_1.4.21.2~dfsg-3+lenny3_all.deb
 ea27f09b054748267842c6ac1f774096 1900114 comm optional asterisk-sounds-main_1.4.21.2~dfsg-3+lenny3_all.deb
 20a418dc42e61dd3b9c1dfd00415c7fb 485382 comm optional asterisk-config_1.4.21.2~dfsg-3+lenny3_all.deb
 a9334626db58da5ae7b7885d5952d0d9 2624164 comm optional asterisk_1.4.21.2~dfsg-3+lenny3_amd64.deb
 78bf5b1c0f9d4289fffdd6f5cf6d4908 398148 comm optional asterisk-h423_1.4.21.2~dfsg-3+lenny3_amd64.deb
 0ab7500e359954635b975b618ebcfec7 13153944 devel extra asterisk-dbg_1.4.21.2~dfsg-3+lenny3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk4VcjAACgkQxArWdkN9MosUFwCcCxeZVPq9v9Ogf0xzKIRpjtOB
2osAoMvhUQ4C2tUYSks1j/cxEr2doA0L
=BjLs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.