Bug#552756: AST-2009-007: SIP INVITE ACL bypass

Raphael Geissert geissert at debian.org
Thu Oct 29 13:23:22 UTC 2009

2009/10/29 Faidon Liambotis <paravoid at debian.org>:
> Raphael Geissert wrote:
>> A vulnerability has been reported in asterisk that allows a device to make
>> calls on networks intended to be prohibited as defined by the "deny"
>> and "permit" lines in sip.conf.
>> The original advisory can be found at:
>> http://downloads.asterisk.org/pub/security/AST-2009-007.html
>> And the patch at:
>> http://downloads.asterisk.org/pub/security/AST-2009-007-1.6.1.diff.txt
> I saw that but initially ignored it since it said it was affecting only
> 1.6.1. It seems, however, that it also affects 1.6.2 and a fix is
> commmited in upstream's SVN.

Yes, the versions in testing and unstable (at least those that were
there before I reported it) were both affected. May I suggest you to
reply to the email in the future whenever you don't think it affects a
version? the versions in the descriptions are usually not exclusive
and should be treated as 'at least' (not much we can do, as it is
mitre who writes the descriptions).


Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

More information about the Pkg-voip-maintainers mailing list