Launchpad.net

CVE 2007-6170

SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments.

Related bugs and status

CVE-2007-6170 (Candidate) is related to these bugs:

Bug #173610: [asterisk] [CVE-2007-6170] missing input sanitising

		In	Importance	Status
173610	[asterisk] [CVE-2007-6170] missing input sanitising	asterisk (Ubuntu)	High	Fix Released
173610	[asterisk] [CVE-2007-6170] missing input sanitising	asterisk (Ubuntu Dapper)	High	Won't Fix
173610	[asterisk] [CVE-2007-6170] missing input sanitising	asterisk (Ubuntu Edgy)	High	Won't Fix
173610	[asterisk] [CVE-2007-6170] missing input sanitising	asterisk (Ubuntu Feisty)	High	Won't Fix
173610	[asterisk] [CVE-2007-6170] missing input sanitising	asterisk (Ubuntu Gutsy)	High	Won't Fix
173610	[asterisk] [CVE-2007-6170] missing input sanitising	asterisk (Ubuntu Hardy)	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://downloads.digiu...
BID: 26647
DEBIAN: DSA-1417
SECTRACK: 1019020
SECUNIA: 27827
SECUNIA: 27892
SUSE: SUSE-SR:2008:005
SECUNIA: 29242
GENTOO: GLSA-200804-13
SECUNIA: 29782
VUPEN: ADV-2007-4056
XF: asterisk-cdrpqsql-sql-...
BUGTRAQ: 20071129 AST-2007-026 ...