Bug#576560: asterisk: CVE-2010-1224 incorrect parsing of ACL rules
Nico Golde
nion at debian.org
Mon Apr 5 16:29:41 UTC 2010
Package: asterisk
Version: 1:1.6.1.0~dfsg~rc3-1
Severity: important
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.
CVE-2010-1224[0]:
| main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x
| before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce
| remote host access controls when CIDR notation "/0" is used in permit=
| and deny= configuration rules, which causes an improper arithmetic
| shift and might allow remote attackers to bypass ACL rules and access
| services from unauthorized hosts.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Patch: http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1224
http://security-tracker.debian.org/tracker/CVE-2010-1224
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20100405/ebac4958/attachment.pgp>
More information about the Pkg-voip-maintainers
mailing list