Articles / Debian: New asterisk packag…

Debian: New asterisk packages fix several vulnerabilities

Several remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. "Mu Security" discovered that a NULL pointer deference in the SIP implementation could lead to denial of service. Inria Lorraine discovered that a programming error in the SIP implementation could lead to denial of service. It was discovered that a NULL pointer deference in the manager interface could lead to denial of service. It was discovered that a programming error in the SIP implementation could lead to denial of service. Tim Panton and Birgit Arkestein discovered that a programming error in the IAX2 implementation could lead to information disclosure. Russell Bryant discovered that a buffer overflow in the IAX implementation could lead to the execution of arbitrary code. Chris Clark and Zane Lackey discovered that several NULL pointer deferences in the IAX2 implementation could lead to denial of service. Will Drewry discovered that a programming error in the Skinny implementation could lead to denial of service. Fixed packages are available from security.debian.org.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1358-1                    security@debian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
August 26th, 2007                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : asterisk
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2007-1306 CVE-2007-1561 CVE-2007-2294 CVE-2007-2297 CVE-2007-2488 CVE-2007-3762 CVE-2007-3763 CVE-2007-3764

Several remote vulnerabilities have been discovered in Asterisk, a free
software PBX and telephony toolkit. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-1306

    "Mu Security" discovered that a NULL pointer deference in the SIP
    implementation could lead to denial of service.

CVE-2007-1561

    Inria Lorraine discovered that a programming error in the SIP
    implementation could lead to denial of service.

CVE-2007-2294

    It was discovered that a NULL pointer deference in the manager
    interface could lead to denial of service.

CVE-2007-2297

    It was discovered that a programming error in the SIP implementation
    could lead to denial of service.

CVE-2007-2488

    Tim Panton and Birgit Arkestein discovered that a programming error
    in the IAX2 implementation could lead to information disclosure.

CVE-2007-3762

    Russell Bryant discovered that a buffer overflow in the IAX
    implementation could lead to the execution of arbitrary code.

CVE-2007-3763

    Chris Clark and Zane Lackey discovered that several NULL pointer
    deferences in the IAX2 implementation could lead to denial of
    service.

CVE-2007-3764

    Will Drewry discovered that a programming error in the Skinny
    implementation could lead to denial of service.

For the oldstable distribution (sarge) these problems have been fixed in
version 1.0.7.dfsg.1-2sarge5.

For the stable distribution (etch) these problems have been fixed
in version 1:1.2.13~dfsg-2etch1.

For the unstable distribution (sid) these problems have been fixed in
version 1:1.4.11~dfsg-1.

We recommend that you upgrade your Asterisk packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5.dsc
      Size/MD5 checksum:     1299 9990edac549f774358a79d593ff43a2d
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5.diff.gz
      Size/MD5 checksum:    72628 a792656a9b891c48038f16ed102da075
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz
      Size/MD5 checksum:  2929488 0d0f718ccd7a06ab998c3f637df294c0

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge5_all.deb
      Size/MD5 checksum:    62122 4488dbad49606db2bb69979c6de5d9a1
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge5_all.deb
      Size/MD5 checksum:    83904 01ec5e039b1f34c512a3816d0ff14290
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge5_all.deb
      Size/MD5 checksum:  1578092 3bc955e7f50c8ee2ab0877c9bf6d7e27
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge5_all.deb
      Size/MD5 checksum:  1180686 9b2af441ef41584b0ab64ed253400ed2
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge5_all.deb
      Size/MD5 checksum:    28906 f487ba4ae90a38dac7d7892994977e78

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_alpha.deb
      Size/MD5 checksum:  1503206 a87cb7693d1e6ef9fa72725a07c58700
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_alpha.deb
      Size/MD5 checksum:    32282 15e30b5844a0436208fae8aef3bb8128
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_alpha.deb
      Size/MD5 checksum:    21684 65d467d776b77d4af8e7ba9695ea855f

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_amd64.deb
      Size/MD5 checksum:  1333966 35dea08bbb3e3ae98622bfc8e2395efa
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_amd64.deb
      Size/MD5 checksum:    31364 b4738c7141ebdb63ff40c4ec51db182d
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_amd64.deb
      Size/MD5 checksum:    21968 04e606d2f26e1b896e2c1e4b3afc0024

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_arm.deb
      Size/MD5 checksum:  1285102 17b0f44fe5799119c6a77aba693b1387
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_arm.deb
      Size/MD5 checksum:    30220 c7d9b2469dda7a56b2cbf37514e983a5
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_arm.deb
      Size/MD5 checksum:    21976 aa7e96d4660b32f99fbc23945b9ab92f

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_hppa.deb
      Size/MD5 checksum:  1448684 baf5d73032d0075fdc54aa8bc12624f3
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_hppa.deb
      Size/MD5 checksum:    32002 6e367939c617f4b86c1f9cc8ba1ed43c
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_hppa.deb
      Size/MD5 checksum:    21972 52e04cbfa198a686798e2aade3f5793d

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_i386.deb
      Size/MD5 checksum:  1175672 332441ac023e066bfad2e4df2ee35b82
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_i386.deb
      Size/MD5 checksum:    30384 714976ea15e1c161c77dff509d08af96
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_i386.deb
      Size/MD5 checksum:    21968 d1ee35f3e22dcd4a5319ae5b15817d0b

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_ia64.deb
      Size/MD5 checksum:  1772012 ac19b785773eb877c29edb5a91c31767
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_ia64.deb
      Size/MD5 checksum:    33496 e1d9e1ceff20bd7bbd0c137239034b75
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_ia64.deb
      Size/MD5 checksum:    21966 f9b6ef26db22f14cb1a52e2b1a135c47

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_m68k.deb
      Size/MD5 checksum:  1185624 aef06cbcb10c08ced6a8238b4a272fd8
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_m68k.deb
      Size/MD5 checksum:    30750 8374561c75228f55694d1b941036294d
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_m68k.deb
      Size/MD5 checksum:    21976 983356c74964bc23471196afaed70837

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_mips.deb
      Size/MD5 checksum:  1264660 66d0b46d774ab9c61979b91fa1383593
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_mips.deb
      Size/MD5 checksum:    29964 8f58fa68511d70e3490df77fdfd5d3ca
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_mips.deb
      Size/MD5 checksum:    21972 46082fca9c342a46404ef189e1f1b635

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_mipsel.deb
      Size/MD5 checksum:  1270922 0528f3b6609060164bb81a1d19441eac
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_mipsel.deb
      Size/MD5 checksum:    29894 888c2904eaf40955ffcb6856e9ce2b55
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_mipsel.deb
      Size/MD5 checksum:    21974 a00d005468404f9b1b0c55f2f3e25c6b

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_powerpc.deb
      Size/MD5 checksum:  1422660 c2a3998e7716bc7215cad1d61329e161
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_powerpc.deb
      Size/MD5 checksum:    31694 44e05fd82fd1fef08a350805338168dc
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_powerpc.deb
      Size/MD5 checksum:    21970 83d4645426d80b755fac8e0a722a049b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_s390.deb
      Size/MD5 checksum:  1313194 883d197378cb2499dbea7b36f9f71015
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_s390.deb
      Size/MD5 checksum:    31384 dff2953d4456c1b4f6369f2e80935dd1
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_s390.deb
      Size/MD5 checksum:    21972 2c0deaf9b334082ad5f388e964f74295

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge5_sparc.deb
      Size/MD5 checksum:  1274948 1edf4c192e12a07d9f634701997b9401
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge5_sparc.deb
      Size/MD5 checksum:    30342 c43e227874341d532402f62b662ec045
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge5_sparc.deb
      Size/MD5 checksum:    21976 1b0665679c70823fceafacedc84c33dd


Debian GNU/Linux 4.0 alias etch
- -------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch1.dsc
      Size/MD5 checksum:     1488 97a08cc08f7a14f50af5583f6cfaae89
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch1.diff.gz
      Size/MD5 checksum:   178578 b99340fd02758c851c28ae1e3c955d42
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz
      Size/MD5 checksum:  3835589 f8ee088b2e4feffe2b35d78079f90b69

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.2.13~dfsg-2etch1_all.deb
      Size/MD5 checksum:   131626 53dd0cd1001f4e78b2b2016773d60e5c
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.2.13~dfsg-2etch1_all.deb
      Size/MD5 checksum:   169902 3f0386aaaad741f88b25ec997e7af8dd
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.2.13~dfsg-2etch1_all.deb
      Size/MD5 checksum:  1499930 23be47715b380082a03a35d8805a6211
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-2etch1_all.deb
      Size/MD5 checksum:  1504542 e4ad12dc4a65fd9eaf8a58efc4def422
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-2etch1_all.deb
      Size/MD5 checksum:    73698 6feb2b37089d8f828130cc21c8e79625
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch1_all.deb
      Size/MD5 checksum:   146440 d90b1991d6afd624e9f31668ef018587

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_alpha.deb
      Size/MD5 checksum:  1934132 b322a206b3248e18a4ada8ecd87b7ded
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_alpha.deb
      Size/MD5 checksum:  1897492 fa7a0e4791176049a7110b949384521d
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_alpha.deb
      Size/MD5 checksum:   136926 41f35290480070e4831521847de74107

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_amd64.deb
      Size/MD5 checksum:  1752012 6541f884fe3fe9f48b4acc63cf693349
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_amd64.deb
      Size/MD5 checksum:  1716992 cdf6e4ba213e5cfa3066f22f395ce98f
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_amd64.deb
      Size/MD5 checksum:   133196 f8e1c9b4a8ab373f8bcba2aa000df651

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_arm.deb
      Size/MD5 checksum:  1700720 e0397a0396919650c8a6d5368aaf2334
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_arm.deb
      Size/MD5 checksum:  1667510 6457678cf86c159d8238cd3845fa19e5
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_arm.deb
      Size/MD5 checksum:   136300 b1db97740d639312a9fe81d1f1203aeb

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_hppa.deb
      Size/MD5 checksum:  1869060 7af81a120af617d6f8bd4a811ba81209
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_hppa.deb
      Size/MD5 checksum:  1830320 ad3ca0f6130dd1730092e4a1ecd16300
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_hppa.deb
      Size/MD5 checksum:   145084 68b9a07789c2f631d799e880a3b5760d

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_i386.deb
      Size/MD5 checksum:  1648860 a4e6285b3a8859f93a52121468429ad3
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_i386.deb
      Size/MD5 checksum:  1615580 f70eb637297095022cdbd859bddd8376
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_i386.deb
      Size/MD5 checksum:   130820 76b1d7e76d2baae5857aa56a09e87652

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_ia64.deb
      Size/MD5 checksum:  2394412 5ebec711b6e457c53f1193232bc4d3d8
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_ia64.deb
      Size/MD5 checksum:  2348026 759e196b5702b5213387f21924541725
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_ia64.deb
      Size/MD5 checksum:   149578 b288f2afa9155e69faff7823181abcab

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_mips.deb
      Size/MD5 checksum:  1694260 c563cc857259855924323b1cb3ba1a00
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_mips.deb
      Size/MD5 checksum:  1661664 8e47a70c83a8bbdb11f0dce83c2fe955
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_mips.deb
      Size/MD5 checksum:   129886 52285a9197ecd9269b42024650717d9c

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_powerpc.deb
      Size/MD5 checksum:  1862936 52427bfe7b0189a99a983774c0a4b6d8
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_powerpc.deb
      Size/MD5 checksum:  1824632 88d7faa382d4918e0e667fff2863e623
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_powerpc.deb
      Size/MD5 checksum:   132946 f9a538e42c44d4ee7390e95bf53fa4d8

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_s390.deb
      Size/MD5 checksum:  1779980 75bbc48a8e0184278173a4edbab1bd5d
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_s390.deb
      Size/MD5 checksum:  1743918 910d6863b1af755d619ff991b2f2163b
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_s390.deb
      Size/MD5 checksum:   136414 7d0eb7a034f10319aa7fb538cc8fe5b2

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_sparc.deb
      Size/MD5 checksum:  1663536 cf93228c0e4142e626087f2c5b3722b3
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_sparc.deb
      Size/MD5 checksum:  1631434 1d7acccfd9cfbcbd1ac1ee515487b3df
    http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_sparc.deb
      Size/MD5 checksum:   132076 a99f330580f855205796726963251506


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG0TOdXm3vHE4uyloRAolkAJ4qOh6pEzlU4h6InrdmBHaNfxx8xACg7LHw
iVpmf4rvvkabFdhrBMbn41E=
=93l1
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.