Debian Bug report logs -
#433681
Fwd: [asterisk-announce] ASA-2007-017: Remote crash vulnerability in STUN implementation
Reported by: Mark Purcell <msp@debian.org>
Date: Wed, 18 Jul 2007 19:48:01 UTC
Severity: critical
Tags: security
Found in version 1:1.4.0~dfsg-1
Fixed in version asterisk/1:1.4.8~dfsg-1
Done: Mark Purcell <msp@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#433681; Package asterisk.
(full text, mbox, link).
Acknowledgement sent to Mark Purcell <msp@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: asterisk
Version: 1:1.4.0~dfsg-1
Tags: security
Severity: critical
---------- Forwarded Message ----------
Subject: [asterisk-announce] ASA-2007-017: Remote crash vulnerability in STUN implementation
Date: Tue, 17 Jul 2007
From: The Asterisk Development Team <asteriskteam@digium.com>
To: undisclosed-recipients:;
Asterisk Project Security Advisory - ASA-2007-017
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Remote Crash Vulnerability in STUN implementation |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Denial of Service |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
|--------------------+---------------------------------------------------|
| Severity | Critical |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | July 13, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Will Drewry, Google Security Team |
|--------------------+---------------------------------------------------|
| Posted On | July 17, 2007 |
|--------------------+---------------------------------------------------|
| Last Updated On | July 17, 2007 |
|--------------------+---------------------------------------------------|
| Advisory Contact | Joshua Colp <jcolp@digium.com> |
|--------------------+---------------------------------------------------|
| CVE Name | CVE-2007-3765 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | The Asterisk STUN implementation in the RTP stack has a |
| | remotely exploitable crash vulnerability. A pointer may |
| | run past accessible memory if Asterisk receives a |
| | specially crafted STUN packet on an active RTP port. |
| | |
| | The code that parses the incoming STUN packets |
| | incorrectly checks that the length indicated in the STUN |
| | attribute and the size of the STUN attribute header does |
| | not exceed the available data. This will cause the data |
| | pointer to run past accessible memory and when accessed |
| | will cause a crash. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | All users that have chan_sip, chan_gtalk, chan_jingle, |
| | chan_h423, chan_mgcp, or chan_skinny enabled on an |
| | affected version should upgrade to the appropriate |
| | version listed in the correct in section of this |
| | advisory. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.0.x | None affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.2.x | None affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Open Source | 1.4.x | All versions prior to |
| | | 1.4.8 |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | A.x.x | None affected |
|----------------------------------+-------------+-----------------------|
| Asterisk Business Edition | B.x.x | None affected |
|----------------------------------+-------------+-----------------------|
| AsteriskNOW | pre-release | All versions prior to |
| | | beta7 |
|----------------------------------+-------------+-----------------------|
| Asterisk Appliance Developer Kit | 0.x.x | All versions prior to |
| | | 0.5.0 |
|----------------------------------+-------------+-----------------------|
| s800i (Asterisk Appliance) | 1.0.x | All versions prior to |
| | | 1.0.2 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|-----------------+------------------------------------------------------|
| Asterisk Open | 1.4.8 available from |
| Source | ftp://ftp.digium.com/pub/telephony/asterisk |
|-----------------+------------------------------------------------------|
| AsteriskNOW | Beta7, available from http://www.asterisknow.org/. |
| | Beta5 and Beta6 users can update using the system |
| | update feature in the appliance control panel. |
|-----------------+------------------------------------------------------|
| Asterisk | 0.5.0, available from |
| Appliance | ftp://ftp.digium.com/pub/telephony/aadk/ |
| Developer Kit | |
|-----------------+------------------------------------------------------|
| s800i (Asterisk | 1.0.2 |
| Appliance) | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security. |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://ftp.digium.com/pub/asa/ASA-2007-017.pdf. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|--------------------+-----------------------+---------------------------|
| July 17, 2006 | jcolp@digium.com | Initial Release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - ASA-2007-017
Copyright (c) 2007 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-announce mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-announce
-------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Tags added: pending
Request was from Mark Purcell <msp@debian.org>
to control@bugs.debian.org.
(Wed, 18 Jul 2007 19:54:02 GMT) (full text, mbox, link).
Reply sent to Mark Purcell <msp@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Mark Purcell <msp@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 433681-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.4.8~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.4.8~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-config_1.4.8~dfsg-1_all.deb
asterisk-dbg_1.4.8~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-dbg_1.4.8~dfsg-1_i386.deb
asterisk-dev_1.4.8~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-dev_1.4.8~dfsg-1_all.deb
asterisk-doc_1.4.8~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-doc_1.4.8~dfsg-1_all.deb
asterisk-h423_1.4.8~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk-h423_1.4.8~dfsg-1_i386.deb
asterisk-sounds-main_1.4.8~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-sounds-main_1.4.8~dfsg-1_all.deb
asterisk-web-vmail_1.4.8~dfsg-1_all.deb
to pool/main/a/asterisk/asterisk-web-vmail_1.4.8~dfsg-1_all.deb
asterisk_1.4.8~dfsg-1.diff.gz
to pool/main/a/asterisk/asterisk_1.4.8~dfsg-1.diff.gz
asterisk_1.4.8~dfsg-1.dsc
to pool/main/a/asterisk/asterisk_1.4.8~dfsg-1.dsc
asterisk_1.4.8~dfsg-1_i386.deb
to pool/main/a/asterisk/asterisk_1.4.8~dfsg-1_i386.deb
asterisk_1.4.8~dfsg.orig.tar.gz
to pool/main/a/asterisk/asterisk_1.4.8~dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 433681@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 18 Jul 2007 20:51:46 +0100
Source: asterisk
Binary: asterisk-h423 asterisk-web-vmail asterisk asterisk-dbg asterisk-dev asterisk-doc asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.4.8~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - config files for asterisk
asterisk-dbg - debugging symbols for asterisk
asterisk-dev - development files for asterisk
asterisk-doc - documentation for asterisk
asterisk-h423 - asterisk H.323 VoIP channel
asterisk-sounds-main - sound files for asterisk
asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk
Closes: 433681
Changes:
asterisk (1:1.4.8~dfsg-1) unstable; urgency=high
.
* New upstream release
- ASA-2007-017: Remote crash vulnerability in
STUN implementation (Closes: #433681)
* Urgency high for remote crash vulnerability
* Updated standard version to 3.7.2 .
Files:
928b92472566ada5e6e5993747078aa6 1477 comm optional asterisk_1.4.8~dfsg-1.dsc
7ed528ce66a35aac84348ded6b61803c 4925394 comm optional asterisk_1.4.8~dfsg.orig.tar.gz
5aa536aa0b0b182a1728f30405ef4d12 35554 comm optional asterisk_1.4.8~dfsg-1.diff.gz
4ab7ba937c4720e97b801383cd05a7bb 34147076 doc extra asterisk-doc_1.4.8~dfsg-1_all.deb
c177a349051ed568bd9bc516dfa287d7 288666 devel extra asterisk-dev_1.4.8~dfsg-1_all.deb
d8dc84071ced934f5b1d16ecfde4e1e3 1629312 comm optional asterisk-sounds-main_1.4.8~dfsg-1_all.deb
78ac53da6a1fae4c461a9b2cf0a7787c 155246 comm extra asterisk-web-vmail_1.4.8~dfsg-1_all.deb
75660d96050812411464cfaaeb65e39f 239586 comm optional asterisk-config_1.4.8~dfsg-1_all.deb
5c2b378b4909c8c0cc260a27a0c6d323 2155806 comm optional asterisk_1.4.8~dfsg-1_i386.deb
d85c8d82cd46bc16e9446b03bc558ce3 256332 comm optional asterisk-h423_1.4.8~dfsg-1_i386.deb
28cc92ef089146144ae64a90c54c3341 11816358 devel extra asterisk-dbg_1.4.8~dfsg-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGnnPeoCzanz0IthIRAsJwAJ0ceOHhNoTivoMFJOVQJlqHEx0NUACgmts4
xWeDCbe0ipgngaom8XmLGII=
=QyLX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 20 Aug 2007 07:37:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:34:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon