Package: asterisk-oh323 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for asterisk-oh323.
CVE-2008-2543[0]: | The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and | Asterisk-Addons 1.4.x before 1.4.7 creates a remotely accessible TCP | port that is intended solely for localhost communication, and | interprets some TCP application-data fields as addresses of memory to | free, which allows remote attackers to cause a denial of service | (daemon crash) via crafted TCP packets. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. http://svn.digium.com/view/asterisk-addons?view=rev&revision=620 is the patch upstream applied to fix this issue. However the version in Debian has a completely different codebase and without having more knowledge about asterisk it is (at least for me) not possible to judge if the version in Debian is affected by this or not. I also have no asterisk setup to test this. Please check back with upstream and/or test this with a local installation. For now I marked it as unfixed in the tracker. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2543 http://security-tracker.debian.net/tracker/CVE-2008-2543 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpWHiTbxbzGA.pgp
Description: PGP signature
