hi. this massege sounds very similar with our iax2 problem Sent from my iPhone
On 30 May 2012, at 00:57, "Asterisk Security Team" <[email protected]> wrote: > Asterisk Project Security Advisory - AST-2012-007 > > Product Asterisk > Summary Remote crash vulnerability in IAX2 channel driver. > Nature of Advisory Remote crash > Susceptibility Established calls > Severity Moderate > Exploits Known No > Reported On March 21, 2012 > Reported By mgrobecker > Posted On May 29, 2012 > Last Updated On May 29, 2012 > Advisory Contact Richard Mudgett < rmudgett AT digium DOT com > > CVE Name CVE-2012-2947 > > Description A remotely exploitable crash vulnerability exists in the > IAX2 channel driver if an established call is placed on > hold without a suggested music class. For this to occur, > the following must take place: > > 1. The setting mohinterpret=passthrough must be set on the > end placing the call on hold. > > 2. A call must be established. > > 3. The call is placed on hold without a suggested > music-on-hold class name. > > When these conditions are true, Asterisk will attempt to > use an invalid pointer to a music-on-hold class name. Use > of the invalid pointer will either cause a crash or the > music-on-hold class name will be garbage. > > Resolution Asterisk now sets the extra data parameter to null if the > received control frame does not have any extra data. > > Affected Versions > Product Release Series > Certified Asterisk 1.8.11-cert All versions > Asterisk Open Source 1.8.x All versions > Asterisk Open Source 10.x All versions > > Corrected In > Product Release > Certified Asterisk 1.8.11-cert2 > Asterisk Open Source 1.8.12.1, 10.4.1 > > Patches > SVN URL > Revision > http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.11-cert.diff > v1.8.11-cert > http://downloads.asterisk.org/pub/security/AST-2012-007-1.8.diff v1.8 > > http://downloads.asterisk.org/pub/security/AST-2012-007-10.diff v10 > > > Links https://issues.asterisk.org/jira/browse/ASTERISK-19597 > > Asterisk Project Security Advisories are posted at > http://www.asterisk.org/security > > This document may be superseded by later versions; if so, the latest > version will be posted at > http://downloads.digium.com/pub/security/AST-2012-007.pdf and > http://downloads.digium.com/pub/security/AST-2012-007.html > > Revision History > Date Editor Revisions Made > 05/29/2012 Richard Mudgett Initial release. > > Asterisk Project Security Advisory - AST-2012-007 > Copyright (c) 2012 Digium, Inc. All Rights Reserved. > Permission is hereby granted to distribute and publish this advisory in its > original, unaltered form. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-security mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-security -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-security mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-security
