Bugzilla – Bug 269387
VUL-0: Multiple security holes in Asterisk
Last modified: 2009-10-13 23:16:16 UTC
Multiple security holes have been fixed in Asterisk 1.2.18. These are: http://lists.grok.org.uk/pipermail/full- disclosure/2007-April/053969.html http://lists.grok.org.uk/pipermail/full- disclosure/2007-April/053967.html http://lists.grok.org.uk/pipermail/full- disclosure/2007-April/053968.html
ASA-2007-010 only applys for 1.4 http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58847&r2=59194 fixes ASA-2007-011 http://svn.digium.com/view/asterisk/branches/1.2/manager.c?r1=60134&r2=61786 fixes ASA-2007-012
It should be also checked if other older security issues are not yet fixed in the Asterisk in 10.2. List of security issues in Asterisk as of 1.2.13 release: http://asterisk.org/node/48319 Patch: http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=56230&r2=57475 http://asterisk.org/node/48339 Patch: http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58115&r2=58579 http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053967.html Patch: http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58847&r2=59194 http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053968.html Patch: http://svn.digium.com/view/asterisk/branches/1.2/manager.c?r1=60134&r2=61786
Thanks for the links. The issues that affect asterisk version we ship are just DoS bugs AFAICS so they are not that urgent. Reassigning to maintainer.
*** Bug 267826 has been marked as a duplicate of this bug. ***
ASA-2007-011 is CVE-2007-2297 ASA-2007-012 is CVE-2007-2294
Patched package submitted to 10.1 and 10.2.
tracked in #251177
finally released the updates.
CVE-2007-2297: CVSS v2 Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)