Your message dated Mon, 25 Apr 2011 13:55:32 +0000
with message-id <e1qemgc-0003yb...@franck.debian.org>
and subject line Bug#618791: fixed in asterisk 1:1.6.2.9-2+squeeze2
has caused the Debian Bug report #618791,
regarding AST-2011-004: Remote crash vulnerability in TCP/TLS server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
618791: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618791
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: asterisk
Version: 1:1.6.2.9-2+squeeze2
Justification: user security hole
Severity: grave
Tags: security upstream patch
Rapidly opening and closing TCP connections to services using the
ast_tcptls_* API (primarily chan_sip, manager, and res_phoneprov) can
cause Asterisk to crash after dereferencing a NULL pointer.
TCP-TLS code was did not exist yet in the oldstable (Lenny) version of
Asterisk.
It is not used in the default configuration. But may be quite common in
many configurations.
--
Tzafrir Cohen | tzaf...@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzaf...@cohens.org.il | | best
tzaf...@debian.org | | friend
--
Tzafrir Cohen | tzaf...@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzaf...@cohens.org.il | | best
tzaf...@debian.org | | friend
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:1.6.2.9-2+squeeze2
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.6.2.9-2+squeeze2_all.deb
to main/a/asterisk/asterisk-config_1.6.2.9-2+squeeze2_all.deb
asterisk-dbg_1.6.2.9-2+squeeze2_amd64.deb
to main/a/asterisk/asterisk-dbg_1.6.2.9-2+squeeze2_amd64.deb
asterisk-dev_1.6.2.9-2+squeeze2_all.deb
to main/a/asterisk/asterisk-dev_1.6.2.9-2+squeeze2_all.deb
asterisk-doc_1.6.2.9-2+squeeze2_all.deb
to main/a/asterisk/asterisk-doc_1.6.2.9-2+squeeze2_all.deb
asterisk-h323_1.6.2.9-2+squeeze2_amd64.deb
to main/a/asterisk/asterisk-h323_1.6.2.9-2+squeeze2_amd64.deb
asterisk-sounds-main_1.6.2.9-2+squeeze2_all.deb
to main/a/asterisk/asterisk-sounds-main_1.6.2.9-2+squeeze2_all.deb
asterisk_1.6.2.9-2+squeeze2.debian.tar.gz
to main/a/asterisk/asterisk_1.6.2.9-2+squeeze2.debian.tar.gz
asterisk_1.6.2.9-2+squeeze2.dsc
to main/a/asterisk/asterisk_1.6.2.9-2+squeeze2.dsc
asterisk_1.6.2.9-2+squeeze2_amd64.deb
to main/a/asterisk/asterisk_1.6.2.9-2+squeeze2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 618...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tzafrir Cohen <tzaf...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 23 Apr 2011 17:35:01 +0300
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg
asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.6.2.9-2+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzaf...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h323 - H.323 protocol support for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 614580 618790 618791 623775
Changes:
asterisk (1:1.6.2.9-2+squeeze2) stable-security; urgency=high
.
* Patch AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in
UDPTL code (Closes: #614580).
* Patch AST-2011-005 (CVE-2011-1507): Resource exhaustion in Asterisk
Manager Interface.
* Patch AST-2011-005-p2: Resource exhaustion in chan_skinny and AJAM -
second part of the above (Closes: #618790).
* Patch AST-2011-006: Check for "system" privilege in the manager interface
(Closes: #623775).
* Patches AST-2011-003, manager_manager_bugfix_reload - its pre-requirements.
* Patch AST-2011-004: Remote crash vulnerability in TCP/TLS server
(Closes: #618791).
Checksums-Sha1:
76fff6bf31fbfef6244d210b4f4d2e5ccec86393 2172 asterisk_1.6.2.9-2+squeeze2.dsc
0218e418266fbaa403aaf7abc09be5b3b1262ffd 84959
asterisk_1.6.2.9-2+squeeze2.debian.tar.gz
50e1ccdf02d5c5ace5faf79085b187b4c512a446 1703746
asterisk-doc_1.6.2.9-2+squeeze2_all.deb
0e7f2f020ecf990b56338fa0d56cad8d66900295 635482
asterisk-dev_1.6.2.9-2+squeeze2_all.deb
3ad2a07e1645c9cca0d4403e47ca224c0a0bfadd 2186840
asterisk-sounds-main_1.6.2.9-2+squeeze2_all.deb
3df19a7623188b6658d075fdf2442d53e2e68285 716440
asterisk-config_1.6.2.9-2+squeeze2_all.deb
876a08fc6fde714374ed4ee6a680fbb34cfb0c87 3599066
asterisk_1.6.2.9-2+squeeze2_amd64.deb
baec5ac5b4c129012251d906dfeb3ca177b999fa 533072
asterisk-h323_1.6.2.9-2+squeeze2_amd64.deb
344add77edab899661b77c6e415af350f63d08ed 20322810
asterisk-dbg_1.6.2.9-2+squeeze2_amd64.deb
Checksums-Sha256:
55e27b3ef2993a8b38ac44b4fde2e51b09d5cbff309a3420428877a05c37755e 2172
asterisk_1.6.2.9-2+squeeze2.dsc
06992a32c513aad2d42553c8a7fb912b001886013c958796000a9c2a83d1aedc 84959
asterisk_1.6.2.9-2+squeeze2.debian.tar.gz
c7153f77d2ab488353823df1e5b06b82fc92a190e1f848c4d309a057d6ea800e 1703746
asterisk-doc_1.6.2.9-2+squeeze2_all.deb
49ca880e4dcb8c6c4108f063c5c3caea222fd91480661b19f5e9d28e93f230a6 635482
asterisk-dev_1.6.2.9-2+squeeze2_all.deb
784e56af9618f6c9d355e1995738591ed691d8a1d2595abc11033e2da7ab7dca 2186840
asterisk-sounds-main_1.6.2.9-2+squeeze2_all.deb
c856a4f0b93a34ff586140c9a5a7bf6ab435d31011be9ab2c1ec6ad65cec9777 716440
asterisk-config_1.6.2.9-2+squeeze2_all.deb
613f7b2a0ebdaebb995ad9045b84a3cbd8e428930b5e4b207ec07fa432de6d13 3599066
asterisk_1.6.2.9-2+squeeze2_amd64.deb
9d0e0a15c47c8476a9cc81b88daa057b6b462e217a1765157581b35fba116255 533072
asterisk-h323_1.6.2.9-2+squeeze2_amd64.deb
65cebb0efbfb7abe536e42c3586b1bb1fe354f80785ad659ad6d84a81e3cb47c 20322810
asterisk-dbg_1.6.2.9-2+squeeze2_amd64.deb
Files:
515a62f82baad1d0af6ae5dadae7294e 2172 comm optional
asterisk_1.6.2.9-2+squeeze2.dsc
8697a1a846809424305cae4e3a36ff2e 84959 comm optional
asterisk_1.6.2.9-2+squeeze2.debian.tar.gz
bf423038f53ca9fd37b7c611d7c96050 1703746 doc extra
asterisk-doc_1.6.2.9-2+squeeze2_all.deb
87eff4e2170c9cbf210aa87351424033 635482 devel extra
asterisk-dev_1.6.2.9-2+squeeze2_all.deb
2bb17d91e2029ae25593e3d5e3999843 2186840 comm optional
asterisk-sounds-main_1.6.2.9-2+squeeze2_all.deb
fed9b9dac88607b781f62a7efde07d36 716440 comm optional
asterisk-config_1.6.2.9-2+squeeze2_all.deb
c44625222c21809662549a6593844a46 3599066 comm optional
asterisk_1.6.2.9-2+squeeze2_amd64.deb
c551867c1addad0a21557a9725041ab1 533072 comm optional
asterisk-h323_1.6.2.9-2+squeeze2_amd64.deb
fb1e95d63f01fef96d41edeb4f14a399 20322810 debug extra
asterisk-dbg_1.6.2.9-2+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk2zAlwACgkQxArWdkN9MoubTwCgyklnDyAEoH1XXQ3/byDgSJU7
6P4AmQGv2O0cmOxDoUuBypgKOKl9TV9W
=lUc8
-----END PGP SIGNATURE-----
--- End Message ---
