Bug #315532 has been rasied as grave security related bug against asterisk-1.0.7, which is included in the released sarge.
It refers to a potential overflow in the Asterisk Manager Interface, which is not enabled by default in the Debian asterisk package. In addition the Debian asterisk package is not run as root as upstream, but rather as the user asterisk with limited privs. It has been pointed out that a user of the manager interface can execute arbitary commands anyway, so the potential for additional privs is again limited even in the case that the manager interface is enabled and exploited. My query is does this warrant an release from the security team of the relevant asterisk package? The patch is included against the bug report. Or can we close this bug? Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
