CVE-2010-0441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0441): Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number.
CVE-2010-0685 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0685): The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argued that this is not a vulnerability in Asterisk, but a class of vulnerabilities that can occur in any program that uses this feature without the associated filtering functionality that is already available.
To confirm, sufficiently new ebuilds are in the tree, vulnerable ebuilds have been purged. This happened two weeks ago: *asterisk-1.6.2.4 (21 Feb 2010) *asterisk-1.6.1.16 (21 Feb 2010) 21 Feb 2010; <chainsaw@gentoo.org> +asterisk-1.6.1.16.ebuild, -asterisk-1.6.2.2.ebuild, -asterisk-1.6.2.2-r1.ebuild, +asterisk-1.6.2.4.ebuild: Security fix for AST-2010-002 (dial plan wildcard injection vulnerability) on the 1.6.1 & 1.6.2 branches. Please read up immediately on the use of the Filter command. Deleted vulnerable old ebuilds. If there is anything for me to do, please clarify.
The other vulnerability that you mention is older and was dealt with even earlier: *asterisk-1.6.1.14 (02 Feb 2010) 02 Feb 2010; <chainsaw@gentoo.org> -asterisk-1.6.1.12-r1.ebuild, -asterisk-1.6.1.13.ebuild, +asterisk-1.6.1.14.ebuild: Security update for AST-2010-001; remote T.38 over SIP crash by setting FaxMaxDatagram to a negative or exceptionally large value. Init script update by Jaco Kroon closes bug #303265. Remove vulnerable 1.6.1 branch ebuilds. *asterisk-1.6.2.2 (02 Feb 2010) 02 Feb 2010; <chainsaw@gentoo.org> +files/1.6.1/asterisk.initd3, -asterisk-1.6.2.0.ebuild, -asterisk-1.6.2.1.ebuild, +asterisk-1.6.2.2.ebuild: Security update for AST-2010-001; remote T.38 over SIP crash by setting FaxMaxDatagram to a negative or exceptionally large value. Init script update by Jaco Kroon closes bug #303265. Remove vulnerable 1.6.2 branch ebuilds.
Sorry! *** This bug has been marked as a duplicate of bug 303265 ***