From: Kevin P. Fleming <kpfleming@digium.com> To: undisclosed-recipients: ; Date: Fri, 04 May 2007 11:20:02 -0500 Subject: [asterisk-announce] ASA-2007-013: IAX2 users can cause unauthorized data disclosure > Asterisk Project Security Advisory - ASA-2007-013 > > +----------------------------------------------------------------------------------+ > | Product | Asterisk | > |----------------------+-----------------------------------------------------------| > | Summary | IAX2 users can cause unauthorized data disclosure | > |----------------------+-----------------------------------------------------------| > | Nature of Advisory | Unauthorized information disclosure | > |----------------------+-----------------------------------------------------------| > | Susceptibility | Remote authenticated sessions | > |----------------------+-----------------------------------------------------------| > | Severity | Low | > |----------------------+-----------------------------------------------------------| > | Exploits Known | No | > |----------------------+-----------------------------------------------------------| > | Reported On | April 27, 2007 | > |----------------------+-----------------------------------------------------------| > | Reported By | Tim Panton, Mexuar, <tim@mexuar.com> | > | | | > | | Birgit Arkesteijn, Westhawk, <birgit@westhawk.co.uk> | > |----------------------+-----------------------------------------------------------| > | Posted On | May 4, 2007 | > |----------------------+-----------------------------------------------------------| > | Last Updated On | May 4, 2007 | > |----------------------+-----------------------------------------------------------| > | Advisory Contact | kpfleming@digium.com | > |----------------------+-----------------------------------------------------------| > | CVE Name | CVE-2007-2488 | > +----------------------------------------------------------------------------------+ > [truncated due to bugzilla limit] will attach full notice...
Created attachment 118159 [details] Asterisk Project Security Advisory - ASA-2007-013
voip please advise and bump as necessary.
any news here?
SUSE fixed this issue.
asterisk-1.2.21.1 is in and this is supposed to be fixed in >1.2.19 according to digium (though the ChangeLog doesn't explicitly say so). I'll dig further, in any case 1.2.21.1 should go stable for security bug #171884.
stabling is done on bug #171884
Now that it's stable, time to vote for this one. Not sure about the impact, description says it could cause segv but it seems the attacker can't control the data to create a buffer overflow so I tend to vote no.
I tend to vote NO on this one, but otoh we could just combine it with bug #185713.
I vote no.
Agreed with Jaervosz, we'll release a GLSA for bug 185713 anyway, so closing this one. Feel free to reopen if you disagree.