Your message dated Tue, 22 Feb 2011 01:54:59 +0000
with message-id <e1prhst-0006tc...@franck.debian.org>
and subject line Bug#610487: fixed in asterisk 1:1.4.21.2~dfsg-3+lenny2
has caused the Debian Bug report #610487,
regarding CVE-2011-0495 asterisk: AST-2011-001: buffer overflow in caller ID
URI encoding
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
610487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610487
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: asterisk
Version: 1:1.6.2.9-2
Justification: user security hole
Severity: grave
Tags: security patch upstream
*** Please type your report below this line ***
The Asterisk project has reported security advisory ASA-2011-011
http://downloads.asterisk.org/pub/security/AST-2011-001.html
(No CVE ATM)
"When forming an outgoing SIP request while in pedantic mode, a stack
buffer can be made to overflow if supplied with carefully crafted caller
ID information. "
Caller ID information may be provided by remote users. The advisory details
potential workaround in the dialplan, but applying it varies greatly on
different configurations.
Issue applies both to the Lenny and Squeeze packages. For patches:
http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8708 (Squeeze)
http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8711 (Lenny)
--
Tzafrir Cohen | tzaf...@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzaf...@cohens.org.il | | best
tzaf...@debian.org | | friend
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny2
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.4.21.2~dfsg-3+lenny2_all.deb
to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny2_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny2_i386.deb
to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny2_i386.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny2_all.deb
to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny2_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny2_all.deb
to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny2_all.deb
asterisk-h323_1.4.21.2~dfsg-3+lenny2_i386.deb
to main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny2_i386.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2_all.deb
to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2_all.deb
asterisk_1.4.21.2~dfsg-3+lenny2.diff.gz
to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny2.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny2.dsc
to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny2.dsc
asterisk_1.4.21.2~dfsg-3+lenny2_i386.deb
to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 610...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Faidon Liambotis <parav...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Feb 2011 17:06:37 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg
asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.4.21.2~dfsg-3+lenny2
Distribution: oldstable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <parav...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h323 - H.323 protocol support for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 610487
Changes:
asterisk (1:1.4.21.2~dfsg-3+lenny2) oldstable-security; urgency=high
.
[ Tzafrir Cohen ]
* AST-2011-001/CVE-2011-0495: Stack buffer overflow in SIP channel driver
(Closes: #610487)
* Backport a one-liner patch from upstream (ast_uri_validhex) to
successfully apply the AST-2011-001 patch.
Checksums-Sha1:
80bc90910165cdb7bf8fcd010b636cb43d32a0dd 1985
asterisk_1.4.21.2~dfsg-3+lenny2.dsc
2de385e43bbaafb66d2501659b916eaadced698c 150696
asterisk_1.4.21.2~dfsg-3+lenny2.diff.gz
9984b239f04b65b9121f32ef485094aaa2b164d2 32509280
asterisk-doc_1.4.21.2~dfsg-3+lenny2_all.deb
b3a6e144ece0ae9c06d3ae4d52a6be612c2a607b 427756
asterisk-dev_1.4.21.2~dfsg-3+lenny2_all.deb
a4698c4d9d98e0a242af6d05b311704955b78157 1897828
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2_all.deb
5bc03cc8fae124dcd6772f1c8205caa6ff0b01f2 478950
asterisk-config_1.4.21.2~dfsg-3+lenny2_all.deb
7b0a83575d9d88ab3fda5b07332149e7d6dbb319 2407086
asterisk_1.4.21.2~dfsg-3+lenny2_i386.deb
56483acf91f975a8c4295194030bdc222bb0952d 388546
asterisk-h323_1.4.21.2~dfsg-3+lenny2_i386.deb
5d439d17f781033464d75321af8ad100f7e7e91a 12998636
asterisk-dbg_1.4.21.2~dfsg-3+lenny2_i386.deb
Checksums-Sha256:
abf0fd16e3cb345cd7ced175a73c0a15568679512ad01db8ca4cc881377e2a3f 1985
asterisk_1.4.21.2~dfsg-3+lenny2.dsc
255718da602b5e19e70c8fde35f6b5747bacbc5b7972820e3d67c1339cb8178a 150696
asterisk_1.4.21.2~dfsg-3+lenny2.diff.gz
614cec5f8c11e6bab87a885110c1300876192932aa7c62e66cebaf285b96abd0 32509280
asterisk-doc_1.4.21.2~dfsg-3+lenny2_all.deb
8ddc340d282213da4dd16ffba910e968c5fa3cade50a451e9ee16ae94ea991e8 427756
asterisk-dev_1.4.21.2~dfsg-3+lenny2_all.deb
584fe5150859c21aaf6a0a817f46c46108262971d55b77d0e6f5ea40b96a4427 1897828
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2_all.deb
1537e5e27cfa66f1557718e247933ac6763c410c8acb858a4e2ffbc16deff9cf 478950
asterisk-config_1.4.21.2~dfsg-3+lenny2_all.deb
75d586df6a6cc639326e527df71f5f6d88d9eefd284204b1fd2aaa8f5f7f18c2 2407086
asterisk_1.4.21.2~dfsg-3+lenny2_i386.deb
348a8faaad09b07d64131f2a41235b8273c6c2f367ad97ec0f4f3997694f61d6 388546
asterisk-h323_1.4.21.2~dfsg-3+lenny2_i386.deb
43e5e38d9adf0f6221ffd3f56832e6a703305b2dd2a55d5ca030574088c0f513 12998636
asterisk-dbg_1.4.21.2~dfsg-3+lenny2_i386.deb
Files:
625115fe277a3e3050e0143b58e9b658 1985 comm optional
asterisk_1.4.21.2~dfsg-3+lenny2.dsc
54a737752f1f8a851cad0ac2b2f69d0c 150696 comm optional
asterisk_1.4.21.2~dfsg-3+lenny2.diff.gz
961b1b453cbab56f5ec5f03ed7e59f7c 32509280 doc extra
asterisk-doc_1.4.21.2~dfsg-3+lenny2_all.deb
e32177c1085dc857e2a6e05bf94c648c 427756 devel extra
asterisk-dev_1.4.21.2~dfsg-3+lenny2_all.deb
941f86ed5d89d517ec16e83f881d75d8 1897828 comm optional
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2_all.deb
701580936396f55e187d8bdb4d9c501e 478950 comm optional
asterisk-config_1.4.21.2~dfsg-3+lenny2_all.deb
3625bf89e540f3135b842517af221046 2407086 comm optional
asterisk_1.4.21.2~dfsg-3+lenny2_i386.deb
d72f12780b219c602be0ae6e2ccbec8f 388546 comm optional
asterisk-h323_1.4.21.2~dfsg-3+lenny2_i386.deb
f1e2e67224ce07cf6e2c005c5f06f20a 12998636 devel extra
asterisk-dbg_1.4.21.2~dfsg-3+lenny2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk1UZOAACgkQVty5d8XpUzPc1gCfdORTrx0jQ+/laAX8pxH7C7QL
rW0AoIB7jqlw/z/5km9UG83PBnIWEyjz
=XbAF
-----END PGP SIGNATURE-----
--- End Message ---
