Articles / Debian: Security update for…

Debian: Security update for asterisk

Several vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit. Matthew Nicholson discovered that incorrect handling of UDPTL packets may lead to denial of service of the execution of arbitrary code. Blake Cornell discovered that incorrect connection handling in the manager interface may lead to denial of service. Blake Cornell and Chris May discovered that incorrect TCP connection handling may lead to denial of service. Tzafrir Cohen discovered that insufficient limitation of connection requests in several TCP based services may lead to denial of service. Matthew Nicholson discovered a privilege escalation vulnerability in the manager interface. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2225-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 25, 2011                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : asterisk
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-1147 CVE-2011-1174 CVE-2011-1175 CVE-2011-1507 
                CVE-2011-1599 

Several vulnerabilities have been discovered in Asterisk, an Open Source
PBX and telephony toolkit.

CVE-2011-1147 

  Matthew Nicholson discovered that incorrect handling of UDPTL packets
  may lead to denial of service of the execution of arbitrary code.

CVE-2011-1174

  Blake Cornell discovered that incorrect connection handling in the
  manager interface may lead to denial of service.

CVE-2011-1175

  Blake Cornell and Chris May discovered that incorrect TCP connection 
  handling may lead to denial of service.

CVE-2011-1507 

  Tzafrir Cohen discovered that insufficient limitation of connection
  requests in several TCP based services may lead to denial of service.
  Please see http://downloads.asterisk.org/pub/security/AST-2011-005.html
  for details.

CVE-2011-1599 

  Matthew Nicholson discovered a privilege escalation vulnerability in
  the manager interface.

For the oldstable distribution (lenny), this problem has been fixed in
version 1:1.4.21.2~dfsg-3+lenny2.1.

For the stable distribution (squeeze), this problem has been fixed in
version 1:1.6.2.9-2+squeeze2.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.8.3.3-1.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk23MkoACgkQXm3vHE4uylpRYgCfWPDbxiPGnttXbD2IsGIU5gCY
HvQAoI41NDHcwXIt45MWJZUurtmVzL7r
=yGwo
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.