Your message dated Mon, 25 Apr 2011 13:55:09 +0000
with message-id <e1qemfp-0003jd...@franck.debian.org>
and subject line Bug#614580: fixed in asterisk 1:1.4.21.2~dfsg-3+lenny2.1
has caused the Debian Bug report #614580,
regarding asterisk: AST-2011-002: Multiple array overflow and crash
vulnerabilities in UDPTL code
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
614580: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614580
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: asterisk
Version: 1:1.6.2.9-2+squeeze1
Justification: user security hole
Severity: grave
Tags: security patch upstream
The Asterisk project has reported security advisory ASA-2011-002
http://downloads.asterisk.org/pub/security/AST-2011-002.html
(No CVE ATM)
"When decoding UDPTL packets, multiple stack and heap based arrays can
be made to overflow by specially crafted packets. Systems doing T.38
pass through or termination are vulnerable."
Patches were already submitted to the respective branches in the
pkg-voip SVN repo:
http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8797 - Squeeze
http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8800 - Lenny
Workaround:
As a workaround, in case the patch has not yet been applied, you can
disable the T.38 functionality (versions in Debian stable / oldstable
only have T.38 passthrough capabilities).
* In chan_sip this is only enabled if 't38pt_udptl' wasenabled for a any
specific peer/user.
* chan_ooh323 (only in stable, not in oldstable. Only needed if you
installed asterisk-ooh323) needs to be disabled altogether. e.g. set
in modules.conf in the section [modules]:
noload => chan_ooh323.so
--
Tzafrir Cohen | tzaf...@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzaf...@cohens.org.il | | best
tzaf...@debian.org | | friend
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny2.1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.4.21.2~dfsg-3+lenny2.1_all.deb
to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny2.1_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny2.1_all.deb
to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny2.1_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny2.1_all.deb
to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny2.1_all.deb
asterisk-h323_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
to main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2.1_all.deb
to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2.1_all.deb
asterisk_1.4.21.2~dfsg-3+lenny2.1.diff.gz
to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny2.1.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny2.1.dsc
to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny2.1.dsc
asterisk_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 614...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tzafrir Cohen <tzaf...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 23 Apr 2011 17:30:13 +0300
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg
asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.4.21.2~dfsg-3+lenny2.1
Distribution: oldstable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzaf...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h323 - H.323 protocol support for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 614580 618790
Changes:
asterisk (1:1.4.21.2~dfsg-3+lenny2.1) oldstable-security; urgency=high
.
* AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in UDPTL code
(Closes: #614580).
* Patch AST-2011-005 (CVE-2011-1507): Resource exhaustion in Asterisk
Manager Interface.
* Patch AST-2011-005-p2: Resource exhaustion in chan_skinny and AJAM -
second part of the above (Closes: #618790).
* Patches AST-2011-003, manager_manager_bugfix_reload - its pre-requirements.
* My new @debian.org address
Checksums-Sha1:
013a870a95cc889ab06cba4bb105fb087191e3b3 1987
asterisk_1.4.21.2~dfsg-3+lenny2.1.dsc
79c9c67ef081925b0871b3faa7ef71b937f29453 158875
asterisk_1.4.21.2~dfsg-3+lenny2.1.diff.gz
88921b26377bd4a7361ce25e4759a9e694b5d921 33061018
asterisk-doc_1.4.21.2~dfsg-3+lenny2.1_all.deb
977eecd305ae101f668b3de7614f6d646a34d46d 429462
asterisk-dev_1.4.21.2~dfsg-3+lenny2.1_all.deb
413a2b27f194284c1739b54adb8858b8104ef30e 1899998
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2.1_all.deb
ae19d6b2662509d0d04132f73f18c0eb8dae59bc 485238
asterisk-config_1.4.21.2~dfsg-3+lenny2.1_all.deb
e0e432172d981757455875277c1b4a19a494d0c2 2624058
asterisk_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
db74c77131fe67d4b72ce1b25d77e8a21de9a235 398032
asterisk-h323_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
fcd10202cde44b4b8bb7f05e83f088cf7275ec16 13153860
asterisk-dbg_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
Checksums-Sha256:
e1c268526259c7a3650ec82c2e79313a81647eea339a69878cab48654cb6ec1a 1987
asterisk_1.4.21.2~dfsg-3+lenny2.1.dsc
b8ad405081e6cf3673ca204e5befb57f882d3d546057f135c4f7412c5510fc2c 158875
asterisk_1.4.21.2~dfsg-3+lenny2.1.diff.gz
2468f721bbbef008e221566e7310594da2644799819c7ff6dda3b70cae28e3b0 33061018
asterisk-doc_1.4.21.2~dfsg-3+lenny2.1_all.deb
fc5c4a61f2e9557418da600f8d70afab4a802ed076871c5a0b6d8c52ceb95bb0 429462
asterisk-dev_1.4.21.2~dfsg-3+lenny2.1_all.deb
a70eccd14b29292074e4f6811b7836ce47153f4e0de216fb2d741b54cc8c6dc5 1899998
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2.1_all.deb
5f66bb19bdcc08a2e3be8c9af9a0366874fb8c9e460d467e687e537e5f3dfa0f 485238
asterisk-config_1.4.21.2~dfsg-3+lenny2.1_all.deb
ed97a47efd6f2a00828e8aa8a0579491a87efef9f240096e378507640aebeafd 2624058
asterisk_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
f7d636c12362f0710ca5b65b41758bb69eb49068a33335f7b9c4f1b5b5016cc1 398032
asterisk-h323_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
fb621d58d6929305c48a943a04e45e9710661f83c0873d74cb98de1172c3a37f 13153860
asterisk-dbg_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
Files:
d601c21bf99d040db1844e0fc5973165 1987 comm optional
asterisk_1.4.21.2~dfsg-3+lenny2.1.dsc
7ed6ad7c24b9c4f60bdaef17541282a3 158875 comm optional
asterisk_1.4.21.2~dfsg-3+lenny2.1.diff.gz
8500e5812b9cd245b23b4aa2f26e4688 33061018 doc extra
asterisk-doc_1.4.21.2~dfsg-3+lenny2.1_all.deb
40ee618fc306b28d5c2b3939bf39b905 429462 devel extra
asterisk-dev_1.4.21.2~dfsg-3+lenny2.1_all.deb
91bff5642ad70afd77f9efb6794ca945 1899998 comm optional
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny2.1_all.deb
6c3e65c2189a3f00e11e77d4655f151e 485238 comm optional
asterisk-config_1.4.21.2~dfsg-3+lenny2.1_all.deb
551723b5b728de88719fb9467c60a4cf 2624058 comm optional
asterisk_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
08bc009255b340490e348ebed894283c 398032 comm optional
asterisk-h323_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
02e7abe10b4427a9f2f35cc4ce68e7ab 13153860 devel extra
asterisk-dbg_1.4.21.2~dfsg-3+lenny2.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2zAtYACgkQxArWdkN9MoshVgCdFiLts1AEOhnGYf/Fmc6k5PcT
HlYAn25m+xPpxZCBKQEA0S8qWxeFk7aU
=wN6s
-----END PGP SIGNATURE-----
--- End Message ---
