Bugzilla – Bug 269387
VUL-0: Multiple security holes in Asterisk
Last modified: 2009-10-13 23:16:16 UTC
Multiple security holes have been fixed in Asterisk 1.2.18.
ASA-2007-010 only applys for 1.4
http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58847&r2=59194 fixes ASA-2007-011
http://svn.digium.com/view/asterisk/branches/1.2/manager.c?r1=60134&r2=61786 fixes ASA-2007-012
It should be also checked if other older security issues are not yet fixed in the Asterisk in 10.2. List of security issues in Asterisk as of 1.2.13 release:
Thanks for the links. The issues that affect asterisk version we ship are just DoS bugs AFAICS so they are not that urgent. Reassigning to maintainer.
*** Bug 267826 has been marked as a duplicate of this bug. ***
ASA-2007-011 is CVE-2007-2297
ASA-2007-012 is CVE-2007-2294
Patched package submitted to 10.1 and 10.2.
tracked in #251177
finally released the updates.
CVE-2007-2297: CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)