Ubuntu
asterisk package

Multiple security holes in Asterisk

Bug #110066 reported by magilus
256
Affects Status Importance Assigned to Milestone
asterisk (Ubuntu)
Fix Released
High
Unassigned
Nominated for Dapper by Kees Cook
Edgy
Fix Released
High
Kees Cook
Feisty
Fix Released
High
Kees Cook

Bug Description

Binary package hint: asterisk

Multiple security holes have been fixed in Asterisk 1.2.18.

These are:

http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053969.html

http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053967.html

http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053968.html

I'd like to provide fixes to the issues, but I am sadly somewhat busy currently so that I can not do them :(

CVE References

magilus (magilus)
Changed in asterisk:
importance: Undecided → High
status: Unconfirmed → Confirmed
Revision history for this message
magilus (magilus) wrote :

ASA-2007-010 only applys for 1.4

Revision history for this message
magilus (magilus) wrote :

http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_sip.c?r1=58847&r2=59194 fixes ASA-2007-011

http://svn.digium.com/view/asterisk/branches/1.2/manager.c?r1=60134&r2=61786 fixes ASA-2007-012

Revision history for this message
magilus (magilus) wrote :

As no one seems to want to fix it, I will do it for Edgy + Feisty.

Changed in asterisk:
assignee: nobody → pirast
Revision history for this message
magilus (magilus) wrote :

Feisty debdiff against Asterisk. I will test build it and look if it still runs :)

Revision history for this message
magilus (magilus) wrote :

Edgy debdiff against Asterisk. I will test build it and look if it still runs.

Revision history for this message
magilus (magilus) wrote :

Feisty thingy installs fine and runs fine.

Revision history for this message
magilus (magilus) wrote :

Edgy thingy installs fine, runs fine also.

Revision history for this message
magilus (magilus) wrote :

Kees, Martin, please apply :)

magilus (magilus)
Changed in asterisk:
assignee: nobody → pirast
importance: Undecided → High
status: Unconfirmed → Confirmed
importance: Undecided → High
status: Unconfirmed → Confirmed
assignee: nobody → pirast
assignee: pirast → nobody
Revision history for this message
magilus (magilus) wrote :

kees, would you mind to commit the fixes? they are lying around here for more than 14 days.

Changed in asterisk:
assignee: pirast → keescook
assignee: pirast → keescook
Revision history for this message
magilus (magilus) wrote :

Any updates on this? It is somewhat frustrating to see my work not being commited.

Revision history for this message
Kees Cook (kees) wrote :

Hi Martin,

I apologize for the delay; I've been very busy the last few weeks (UDS, then catch-up, and now kernel security updates). I will process these today. Thank you for getting them tested!

Revision history for this message
Kees Cook (kees) wrote :

Thanks again! I adjusted your changelog to reflect the added patch filename and to include the CVEs that were assigned for these vulnerabilities. Beyond that your debdiff looked great, and built fine for me. I've sponsored the uploads. :)

Changed in asterisk:
status: Confirmed → Fix Released
status: Confirmed → Fix Released
Revision history for this message
magilus (magilus) wrote :

Alright, thanks Kees :)

Revision history for this message
magilus (magilus) wrote :

1.4.4 in devrelease which fixes that issue.

Changed in asterisk:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.