Ubuntu
asterisk package

Two security issues in Asterisk

Bug #42472 reported by Mattias Bergsten
258
Affects Status Importance Assigned to Milestone
asterisk (Ubuntu)
Fix Released
High
MOTU

Bug Description

Debian today released updates to their Asterisk packages due to two problems, CVE-2005-3559 and CVE-2006-1827.

CVE-2005-3559 is being able to retrieve someone else's recordings, and CVE-2006-1827 is a buffer overflow in the format_jpeg module.

This has been fixed by Digium in 1.2.7.

Might I suggest a port of Debian's patched 1.2.7, seeing as how Ubuntu is stuck with 1.2.1? (Yes, I know it's universe.)

Revision history for this message
Chuck Short (zulcss) wrote :

Security fix needed

Loic Pefferkorn (loic)
Changed in asterisk:
assignee: nobody → motu
status: Unconfirmed → Confirmed
Revision history for this message
Chuck Short (zulcss) wrote :

I have verified the fixes are already present in our version of asterisk.

Changed in asterisk:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.