Your message dated Thu, 09 Aug 2007 22:47:05 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#436808: fixed in asterisk 1:1.4.10~dfsg-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: asterisk Version: 1:1.4.1~dfsg-1 Severity: grave Tags: security, pending ---------- Forwarded Message ---------- Subject: [asterisk-announce] ASA-2007-019: Remote crash vulnerability in Skinny channel driver Date: Tue, 7 Aug 2007 From: The Asterisk Development Team <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Asterisk Project Security Advisory - ASA-2007-019 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Remote crash vulnerability in Skinny channel | | | driver | |--------------------+---------------------------------------------------| | Nature of Advisory | Denial of Service | |--------------------+---------------------------------------------------| | Susceptibility | Remote Authenticated Sessions | |--------------------+---------------------------------------------------| | Severity | Moderate | |--------------------+---------------------------------------------------| | Exploits Known | No | |--------------------+---------------------------------------------------| | Reported On | August 7, 2007 | |--------------------+---------------------------------------------------| | Reported By | Wei Wang of McAfee AVERT Labs | |--------------------+---------------------------------------------------| | Posted On | August 7, 2007 | |--------------------+---------------------------------------------------| | Last Updated On | August 7, 2007 | |--------------------+---------------------------------------------------| | Advisory Contact | Jason Parker <[EMAIL PROTECTED]> | |--------------------+---------------------------------------------------| | CVE Name | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | The Asterisk Skinny channel driver, chan_skinny, has a | | | remotely exploitable crash vulnerability. A segfault can | | | occur when Asterisk receives a | | | "CAPABILITIES_RES_MESSAGE" packet where the capabilities | | | count is greater than the total number of items in the | | | capabilities_res_message array. Note that this requires | | | an authenticated session. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Asterisk code has been modified to limit the incoming | | | capabilities count. | | | | | | Users with configured Skinny devices should upgrade to | | | the appropriate version listed in the corrected in | | | section of this advisory. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.0.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.2.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Open Source | 1.4.x | All versions prior to | | | | 1.4.10 | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | A.x.x | Not affected | |----------------------------------+-------------+-----------------------| | Asterisk Business Edition | B.x.x | Not affected | |----------------------------------+-------------+-----------------------| | AsteriskNOW | pre-release | All versions prior to | | | | beta7 | |----------------------------------+-------------+-----------------------| | Asterisk Appliance Developer Kit | 0.x.x | All versions prior to | | | | 0.7.0 | |----------------------------------+-------------+-----------------------| | s800i (Asterisk Appliance) | 1.0.x | All versions prior to | | | | 1.0.3 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |---------------+--------------------------------------------------------| | Asterisk Open | 1.4.10, available from | | Source | http://downloads.digium.com/pub/telephony/asterisk | |---------------+--------------------------------------------------------| | AsteriskNOW | Beta7, available from http://www.asterisknow.org/. | | | Beta5 and Beta6 users can update using the system | | | update feature in the appliance control panel. | |---------------+--------------------------------------------------------| | Asterisk | 0.7.0, available from | | Appliance | http://downloads.digium.com/pub/telephony/aadk | | Developer Kit | | |---------------+--------------------------------------------------------| | s800i | 1.0.3 | | (Asterisk | | | Appliance) | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security. | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/asa/ASA-2007-019.pdf and | | http://downloads.digium.com/pub/asa/ASA-2007-019.html. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |--------------------+------------------------+--------------------------| | August 7, 2007 | [EMAIL PROTECTED] | Initial Release | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - ASA-2007-019 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-announce mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-announce -------------------------------------------------------
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:1.4.10~dfsg-1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive: asterisk-config_1.4.10~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-config_1.4.10~dfsg-1_all.deb asterisk-dbg_1.4.10~dfsg-1_i386.deb to pool/main/a/asterisk/asterisk-dbg_1.4.10~dfsg-1_i386.deb asterisk-dev_1.4.10~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-dev_1.4.10~dfsg-1_all.deb asterisk-doc_1.4.10~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-doc_1.4.10~dfsg-1_all.deb asterisk-h323_1.4.10~dfsg-1_i386.deb to pool/main/a/asterisk/asterisk-h323_1.4.10~dfsg-1_i386.deb asterisk-sounds-main_1.4.10~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-sounds-main_1.4.10~dfsg-1_all.deb asterisk-web-vmail_1.4.10~dfsg-1_all.deb to pool/main/a/asterisk/asterisk-web-vmail_1.4.10~dfsg-1_all.deb asterisk_1.4.10~dfsg-1.diff.gz to pool/main/a/asterisk/asterisk_1.4.10~dfsg-1.diff.gz asterisk_1.4.10~dfsg-1.dsc to pool/main/a/asterisk/asterisk_1.4.10~dfsg-1.dsc asterisk_1.4.10~dfsg-1_i386.deb to pool/main/a/asterisk/asterisk_1.4.10~dfsg-1_i386.deb asterisk_1.4.10~dfsg.orig.tar.gz to pool/main/a/asterisk/asterisk_1.4.10~dfsg.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mark Purcell <[EMAIL PROTECTED]> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 09 Aug 2007 22:47:00 +0100 Source: asterisk Binary: asterisk-h323 asterisk-web-vmail asterisk asterisk-dbg asterisk-dev asterisk-doc asterisk-sounds-main asterisk-config Architecture: source all i386 Version: 1:1.4.10~dfsg-1 Distribution: unstable Urgency: low Maintainer: Debian VoIP Team <[EMAIL PROTECTED]> Changed-By: Mark Purcell <[EMAIL PROTECTED]> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - config files for asterisk asterisk-dbg - debugging symbols for asterisk asterisk-dev - Development files for asterisk asterisk-doc - Source code documentation for Asterisk asterisk-h323 - Asterisk's H.323 VoIP channel asterisk-sounds-main - Core Sound files for Asterisk (English) asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk Closes: 301883 428671 436808 Changes: asterisk (1:1.4.10~dfsg-1) unstable; urgency=low . * New upstream release - Fwd: [asterisk-announce] ASA-2007-019: Remote crash vulnerability in Skinny channel driver (Closes: #436808) . [ Mark Purcell ] * debhelper(1) states Build-Depends: debhelper (>= 5) - aids backports * Update debian/backports for etch, edgy, dapper and feisty - http://status.buildserver.net/packages/status.php?package=asterisk&subdist=pkg-voip . [ Faidon Liambotis ] * Refer to /usr/share/common-licenses/GPL-2 instead of GPL. The code is -for now- GPLv2-only and in light of GPLv3, pointing to GPL is misleading. * Add ast_key_dir patch to move keys from /var/lib/asterisk/keys to /usr/share/asterisk/keys where they should be. * Actually ship keys, including Junction Networks' by fixing pubkey_jnctn patch. * Handle space/newline-delimited directories on /etc/asterisk when doing chmod on postinst. * Correct descriptions of packages in debian/control, adapting them to the present and correcting some spelling mistakes. (Closes: #428671) * Add a noload directive for cdr_sqlite.so in the default modules.conf since it writes unconditionally to the database file without being rotated, resulting in unexpected waste of disk space. (Closes: #301883) * Delete duplicated creation of /var/run/asterisk in the init script. Files: 47bc4af0d6968e061c81904ba6cff9b3 1623 comm optional asterisk_1.4.10~dfsg-1.dsc 918134ac93df27fa0e185ef07ba7dc62 4961507 comm optional asterisk_1.4.10~dfsg.orig.tar.gz d930bc78a1ad2d4e58ec969670a74e3f 39366 comm optional asterisk_1.4.10~dfsg-1.diff.gz 41383d9e0468a9dc96dec93a4587cadd 28533752 doc extra asterisk-doc_1.4.10~dfsg-1_all.deb 30697f4a3a83dbe3c9dc52f8c6f7c199 302092 devel extra asterisk-dev_1.4.10~dfsg-1_all.deb 8be1c58b6fd7b3a2e2840de0ef6ee648 1641848 comm optional asterisk-sounds-main_1.4.10~dfsg-1_all.deb 6f2e57305d30ff711c627b31e500c022 167552 comm extra asterisk-web-vmail_1.4.10~dfsg-1_all.deb 1bc4e14dcbe391fb4b4a48999b1961fe 381656 comm optional asterisk-config_1.4.10~dfsg-1_all.deb 573ba78fe86f3190189bc5125558c1a4 2060636 comm optional asterisk_1.4.10~dfsg-1_i386.deb 836f7fb43a0ac10e36b8335cb5046a31 268774 comm optional asterisk-h323_1.4.10~dfsg-1_i386.deb 85e1bfef304693d944da0a8532d805e5 11850356 devel extra asterisk-dbg_1.4.10~dfsg-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGu41foCzanz0IthIRAh3BAJ4nr87FwVKkx9ksp7r3RpHeo3AQqgCeO0ys kOuLzQbO1//yecJhIO/g2Ag= =GMbN -----END PGP SIGNATURE-----
--- End Message ---
