Package: asterisk Version: 1:1.6.2.9-2+squeeze1 Justification: user security hole Severity: grave Tags: security patch upstream
The Asterisk project has reported security advisory ASA-2011-002 http://downloads.asterisk.org/pub/security/AST-2011-002.html (No CVE ATM) "When decoding UDPTL packets, multiple stack and heap based arrays can be made to overflow by specially crafted packets. Systems doing T.38 pass through or termination are vulnerable." Patches were already submitted to the respective branches in the pkg-voip SVN repo: http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8797 - Squeeze http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8800 - Lenny Workaround: As a workaround, in case the patch has not yet been applied, you can disable the T.38 functionality (versions in Debian stable / oldstable only have T.38 passthrough capabilities). * In chan_sip this is only enabled if 't38pt_udptl' wasenabled for a any specific peer/user. * chan_ooh323 (only in stable, not in oldstable. Only needed if you installed asterisk-ooh323) needs to be disabled altogether. e.g. set in modules.conf in the section [modules]: noload => chan_ooh323.so -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
