This was fixed in cvs HEAD and stable on 4/13/2004 and a new source release was made at the time (version 0.9.0)
I'm not sure why it would be brought up on a recent newsletter, it was discussed in here (or maybe on -dev) sometime around 4/15/2004 James On Mon, 28 Jun 2004, Jim Rosenberg wrote: > The following is pasted from SecurityFocus Newsletter #254: > > ------------------------- > Asterisk PBX Multiple Logging Format String Vulnerabilities > BugTraq ID: 10569 > Remote: Yes > Date Published: Jun 18 2004 > Relevant URL: http://www.securityfocus.com/bid/10569 > Summary: > It is reported that Asterisk is susceptible to format string > vulnerabilities in its logging functions. > > An attacker may use these vulnerabilities to corrupt memory, and read or > write arbitrary memory. Remote code execution is likely possible. > > Due to the nature of these vulnerabilities, there may exist many different > avenues of attack. Anything that can potentially call the logging functions > with user-supplied data is vulnerable. > > Versions 0.7.0 through to 0.7.2 are reported vulnerable. > ------------------------- > > What is the status of CVS-current with respect to this? > > I don't remember seeing any discussion of this issue here; apologies if I > missed it. > _______________________________________________ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users