Bug 169681

Summary:	net-misc/asterisk SIP DoS
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	voip+disabled
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-06 22:18:45 UTC

Information seems a bit sparse, but SineApps reports:

Asterisk 1.4.1 has been released as well as Asterisk 1.2.16 and Zaptel 1.2.15. These include bugfixes as well as a solution to the recently discovered security hole. This security hole is a major one and as such, machines should be updated as soon as possible. I will post further information about it in around a week, but you should all upgrade your servers before then.

  Update: TrixBox, packaged Asterisk and OpenPBX are affected too:
 
  Update: Vulnerability is a remote DOS (segfaults Asterisk):
 
  Update: Vulnerability is in the SIP stack. If you have port 5060 blocked and are not using SIP then you should be fine. In any other situation, you should upgrade:

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-06 22:58:10 UTC


*** This bug has been marked as a duplicate of bug 169616 ***