Summary: | <net-misc/asterisk-1.8.7.1 Remote crash vulnerability in SIP channel driver (CVE-2011-4063) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chainsaw, voip+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://downloads.asterisk.org/pub/security/AST-2011-012.html | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sean Amoss (RETIRED)
2011-10-17 19:43:03 UTC
+*asterisk-1.8.7.1 (18 Oct 2011) + + 18 Oct 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.7.0-r1.ebuild, + +asterisk-1.8.7.1.ebuild: + Update to fix remote crash vulnerability (caused by unitialised variable) in + SIP channel driver, remove vulnerable versions except last stable. Advisories + CVE-2011-4063 & AST-2011-012. Arches, please test & mark stable. Compilation followed by repeated start/stop cycles on the default configuration file will suffice. amd64 ok ditto Ago + 18 Oct 2011; Tony Vroon <chainsaw@gentoo.org> asterisk-1.8.7.1.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #387453. x86 stable Thanks, everyone. GLSA Vote: yes. + 21 Oct 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.6.0.ebuild: + Purge vulnerable ebuilds for security bug #387453 now that stabling has + completed. CVE-2011-4063 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4063): chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.7.1 and 10.x before 10.0.0-rc1 does not properly initialize variables during request parsing, which allows remote authenticated users to cause a denial of service (daemon crash) via a malformed request. Let's just include this with the other Asterisk bugs. Moving to [glsa]. This issue was resolved and addressed in GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml by GLSA coordinator Tim Sammut (underling). |