Control: retitle -1 asterisk: chan_sip: File descriptors leak (UDP sockets) / AST-2016-007, CVE-2016-7551 Control: found -1 1:13.7.2~dfsg-1
If I understand the jira tracker correctly, the patch available from <URL: https://issues.asterisk.org/jira/secure/attachment/54225/ASTERISK-26272-13.patch > will solve this issue. The security problem seem to be that "a peer which is authorized to sent SIP INVITE to an asterisk configured with chan_sip using overlap dialing can then create a denial-of-service attack by exhausting all the file descriptors available for the asterisk process." Is that significant enough for a stable update? I guess so. According to the upstream tracker, the problem was first discovered in version 13.5. Updating the BTS version tracking with the first Debian version after that. -- Happy hacking Petter Reinholdtsen
