Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 177062
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Rajiv Aaron Manglani <rajiv@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
ASA-2007-013.txt Asterisk Project Security Advisory - ASA-2007-013 text/plain Rajiv Aaron Manglani 2007-05-04 16:57 0000 14.91 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 177062 depends on: 171884 Show dependency tree
Bug 177062 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-05-04 16:56 0000 
From: Kevin P. Fleming <kpfleming@digium.com>
To: undisclosed-recipients:  ;
Date: Fri, 04 May 2007 11:20:02 -0500
Subject: [asterisk-announce] ASA-2007-013: IAX2 users can cause unauthorized
        data disclosure

>                     Asterisk Project Security Advisory - ASA-2007-013
>
>    +----------------------------------------------------------------------------------+
>    |       Product        | Asterisk                                                  |
>    |----------------------+-----------------------------------------------------------|
>    |       Summary        | IAX2 users can cause unauthorized data disclosure         |
>    |----------------------+-----------------------------------------------------------|
>    |  Nature of Advisory  | Unauthorized information disclosure                       |
>    |----------------------+-----------------------------------------------------------|
>    |    Susceptibility    | Remote authenticated sessions                             |
>    |----------------------+-----------------------------------------------------------|
>    |       Severity       | Low                                                       |
>    |----------------------+-----------------------------------------------------------|
>    |    Exploits Known    | No                                                        |
>    |----------------------+-----------------------------------------------------------|
>    |     Reported On      | April 27, 2007                                            |
>    |----------------------+-----------------------------------------------------------|
>    |     Reported By      | Tim Panton, Mexuar, <tim@mexuar.com>                      |
>    |                      |                                                           |
>    |                      | Birgit Arkesteijn, Westhawk, <birgit@westhawk.co.uk>      |
>    |----------------------+-----------------------------------------------------------|
>    |      Posted On       | May 4, 2007                                               |
>    |----------------------+-----------------------------------------------------------|
>    |   Last Updated On    | May 4, 2007                                               |
>    |----------------------+-----------------------------------------------------------|
>    |   Advisory Contact   | kpfleming@digium.com                                      |
>    |----------------------+-----------------------------------------------------------|
>    |       CVE Name       | CVE-2007-2488                                             |
>    +----------------------------------------------------------------------------------+
>
[truncated due to bugzilla limit]

will attach full notice...

------- Comment #1 From Rajiv Aaron Manglani 2007-05-04 16:57:53 0000 ------- 
Created an attachment (id=118159) [details]
Asterisk Project Security Advisory - ASA-2007-013

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-05-05 06:48:29 0000 ------- 
voip please advise and bump as necessary.

------- Comment #3 From Pierre-Yves Rofes 2007-05-31 09:41:50 0000 ------- 
any news here?

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-06-08 06:43:56 0000 ------- 
SUSE fixed this issue.

------- Comment #5 From Gustavo Zacarias (RETIRED) 2007-07-12 21:37:31 0000 ------- 
asterisk-1.2.21.1 is in and this is supposed to be fixed in >1.2.19 according
to digium (though the ChangeLog doesn't explicitly say so).
I'll dig further, in any case 1.2.21.1 should go stable for security bug
#171884.

------- Comment #6 From Pierre-Yves Rofes 2007-07-14 22:27:51 0000 ------- 
stabling is done on bug #171884

------- Comment #7 From Pierre-Yves Rofes 2007-07-24 11:39:04 0000 ------- 
Now that it's stable, time to vote for this one. Not sure about the impact,
description says it could cause segv but it seems the attacker can't control
the data to create a buffer overflow so I tend to vote no.

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-07-25 05:31:20 0000 ------- 
I tend to vote NO on this one, but otoh we could just combine it with bug
#185713.

------- Comment #9 From Matt Drew 2007-07-25 22:55:50 0000 ------- 
I vote no.

------- Comment #10 From Pierre-Yves Rofes 2007-07-29 22:04:05 0000 ------- 
Agreed with Jaervosz, we'll release a GLSA for bug 185713 anyway, so closing
this one. Feel free to reopen if you disagree.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug