Bug#484796: asterisk-oh322: CVE-2008-2543 denial of service
Nico Golde
nion at debian.org
Fri Jun 6 14:27:01 UTC 2008
Package: asterisk-oh323
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk-oh323.
CVE-2008-2543[0]:
| The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and
| Asterisk-Addons 1.4.x before 1.4.7 creates a remotely accessible TCP
| port that is intended solely for localhost communication, and
| interprets some TCP application-data fields as addresses of memory to
| free, which allows remote attackers to cause a denial of service
| (daemon crash) via crafted TCP packets.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
http://svn.digium.com/view/asterisk-addons?view=rev&revision=620
is the patch upstream applied to fix this issue. However the
version in Debian has a completely different codebase and
without having more knowledge about asterisk it is (at least
for me) not possible to judge if the version in Debian is
affected by this or not. I also have no asterisk setup to
test this.
Please check back with upstream and/or test this with a
local installation. For now I marked it as unfixed in the
tracker.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2543
http://security-tracker.debian.net/tracker/CVE-2008-2543
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20080606/c19f3189/attachment.pgp
More information about the Pkg-voip-maintainers
mailing list