Summary: | <net-misc/asterisk-1.8.8.2 : SRTP Video Stream Negotiation DoS Vulnerability (CVE-2012-0885) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chainsaw, voip+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/47630/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-01-20 13:37:38 UTC
+*asterisk-10.0.1 (20 Jan 2012) +*asterisk-1.8.8.2 (20 Jan 2012) + + 20 Jan 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.7.1.ebuild, + -asterisk-1.8.8.0.ebuild, +asterisk-1.8.8.2.ebuild, + -asterisk-10.0.0_rc3.ebuild, -asterisk-10.0.0.ebuild, + +asterisk-10.0.1.ebuild: + New releases on the 1.8 & 10 branches that address AST-2012-001 / + CVE-2012-0885 SRTP video remote crash vulnerability. Culled vulnerable + non-stable ebuilds. Arches, please test & mark stable 1.8.8.2; if the daemon is able to stop & start repeatedly on the default configuration it is functional. amd64 stable x86 stable @security: please vote Thanks, everyone. GLSA Vote: yes. Upstream advisory: http://downloads.asterisk.org/pub/security/AST-2012-001.html YES, too. New request filed. CVE-2012-0885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0885): chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple. This issue was resolved and addressed in GLSA 201202-06 at http://security.gentoo.org/glsa/glsa-201202-06.xml by GLSA coordinator Sean Amoss (ackle). |