Recently, ISS posted a report about a Denial of Service vulnerability in Asterisk's IAX2 implementation. This vulnerability exists in all existing IAX2 implementations that accept incoming calls (not just Asterisk), and relates to the amount of time that a pending (but not yet authenticated) call is allowed to exist in memory on the server. In response to this report, we recently released Asterisk 1.2.10, which provides a configuration option that the administrator can use to combat this activity. This option is called 'maxauthreq' and is available at the global level and for type=user entries in iax.conf (it is not needed for type=peer entries, since peers cannot place calls into the Asterisk server). Since this is a release branch of Asterisk, we were not comfortable changing the default behavior, so this new option defaults to zero, which means there is no limit in place. We urge all users with Asterisk servers connected to public (or otherwise uncontrolled) networks to upgrade to Asterisk 1.2.10 and set this configuration option to a reasonable value; for most IAX2 user accounts a value of three will be more than adequate. If the user attempts to place more calls than are allowed without providing authentication information for some of them, the additional requests will be denied without requesting authentication information and without preserving the call information in memory for the normal period of time.
voip please advise and provide an updated ebuild.
voip, please bump to 1.2.10
Handling stable marking of 1.2.11 on bug #144941
Isn't this bug imbrincated in bug 144941 ? If so, shouldn't it be closed?
You're right Alin this was covered by GLSA 200610-15.
