Bug#541441: CVE-2009-2726: Asterisk SIP Channel Driver Denial ofService

Gary Herbstman garyh at bytesolutions.com
Fri Aug 21 19:51:37 UTC 2009

This pretty clearly states the recipients mailbox does not exist. This
kind of message is typically accurate.

Have we double checked the recipient is not having a problem??

-----Original Message-----
From: Moritz Muehlenhoff [mailto:jmm at inutil.org] 
Sent: Friday, August 21, 2009 14:41
To: Faidon Liambotis
Cc: 541441 at bugs.debian.org; Giuseppe Iuculano; security at debian.org
Subject: Bug#541441: CVE-2009-2726: Asterisk SIP Channel Driver Denial

On Fri, Aug 14, 2009 at 04:32:25PM +0300, Faidon Liambotis wrote:
> That's AST-2009-005[1], which mentions:
> > Note that while this potential vulnerability has existed in Asterisk

> > for a very long time, it is only potentially exploitable in 1.6.1 
> > and above, since those versions are the first that have allowed SIP 
> > packets to exceed 1500 bytes total, which does not permit strings 
> > that are large enough to crash Asterisk. (The number strings 
> > presented to us by the security researcher were approximately 32,000

> > bytes long.)
> > 
> > Additionally note that while this can crash Asterisk, execution of 
> > arbitrary code is not possible with this vector.
> Hence, I don't think it warrants a security update for
> Unstable is vulnerable though, I'll prepare a fix.

Thanks, added to the tracker.


More information about the Pkg-voip-maintainers mailing list