Your message dated Tue, 22 Feb 2011 01:55:19 +0000
with message-id <[email protected]>
and subject line Bug#610487: fixed in asterisk 1:1.6.2.9-2+squeeze1
has caused the Debian Bug report #610487,
regarding CVE-2011-0495 asterisk: AST-2011-001: buffer overflow in caller ID
URI encoding
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
610487: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610487
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: asterisk
Version: 1:1.6.2.9-2
Justification: user security hole
Severity: grave
Tags: security patch upstream
*** Please type your report below this line ***
The Asterisk project has reported security advisory ASA-2011-011
http://downloads.asterisk.org/pub/security/AST-2011-001.html
(No CVE ATM)
"When forming an outgoing SIP request while in pedantic mode, a stack
buffer can be made to overflow if supplied with carefully crafted caller
ID information. "
Caller ID information may be provided by remote users. The advisory details
potential workaround in the dialplan, but applying it varies greatly on
different configurations.
Issue applies both to the Lenny and Squeeze packages. For patches:
http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8708 (Squeeze)
http://svn.debian.org/viewsvn/pkg-voip?view=rev&revision=8711 (Lenny)
--
Tzafrir Cohen | [email protected] | VIM is
http://tzafrir.org.il | | a Mutt's
[email protected] | | best
[email protected] | | friend
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:1.6.2.9-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.6.2.9-2+squeeze1_all.deb
to main/a/asterisk/asterisk-config_1.6.2.9-2+squeeze1_all.deb
asterisk-dbg_1.6.2.9-2+squeeze1_i386.deb
to main/a/asterisk/asterisk-dbg_1.6.2.9-2+squeeze1_i386.deb
asterisk-dev_1.6.2.9-2+squeeze1_all.deb
to main/a/asterisk/asterisk-dev_1.6.2.9-2+squeeze1_all.deb
asterisk-doc_1.6.2.9-2+squeeze1_all.deb
to main/a/asterisk/asterisk-doc_1.6.2.9-2+squeeze1_all.deb
asterisk-h323_1.6.2.9-2+squeeze1_i386.deb
to main/a/asterisk/asterisk-h323_1.6.2.9-2+squeeze1_i386.deb
asterisk-sounds-main_1.6.2.9-2+squeeze1_all.deb
to main/a/asterisk/asterisk-sounds-main_1.6.2.9-2+squeeze1_all.deb
asterisk_1.6.2.9-2+squeeze1.debian.tar.gz
to main/a/asterisk/asterisk_1.6.2.9-2+squeeze1.debian.tar.gz
asterisk_1.6.2.9-2+squeeze1.dsc
to main/a/asterisk/asterisk_1.6.2.9-2+squeeze1.dsc
asterisk_1.6.2.9-2+squeeze1_i386.deb
to main/a/asterisk/asterisk_1.6.2.9-2+squeeze1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Faidon Liambotis <[email protected]> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Feb 2011 19:03:02 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg
asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.2.9-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Faidon Liambotis <[email protected]>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h323 - H.323 protocol support for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 610487
Changes:
asterisk (1:1.6.2.9-2+squeeze1) stable-security; urgency=high
.
* AST-2011-001/CVE-2011-0495: Stack buffer overflow in SIP channel driver
(Closes: #610487)
Checksums-Sha1:
ea5e67823375319cc13814b99f48cc947734fb4a 2172 asterisk_1.6.2.9-2+squeeze1.dsc
2f735f640a55a4b5ded7be183946dabb3002d531 23607389 asterisk_1.6.2.9.orig.tar.gz
5a7e6fed8858719347af480d4336ab8143bbda7a 71289
asterisk_1.6.2.9-2+squeeze1.debian.tar.gz
ae2fb7a258809f177664d524652791d07ef74bc4 1682432
asterisk-doc_1.6.2.9-2+squeeze1_all.deb
28e899239703a651775d539384cbdc00eaef83b6 632344
asterisk-dev_1.6.2.9-2+squeeze1_all.deb
85717308f30b64984c5bc40ccd6a4d31f147d80f 2182364
asterisk-sounds-main_1.6.2.9-2+squeeze1_all.deb
a6bf69a8ca1689f5c1d0cf7f32e3da6517782fb1 710336
asterisk-config_1.6.2.9-2+squeeze1_all.deb
86893a78a274765e12bd1ab4691a7c829175d165 3318020
asterisk_1.6.2.9-2+squeeze1_i386.deb
b778aef0f746ce673cbcf9ce3d790af7f409e548 527270
asterisk-h323_1.6.2.9-2+squeeze1_i386.deb
498e7e0dbc36af219771a12673d43593abab8abf 20294860
asterisk-dbg_1.6.2.9-2+squeeze1_i386.deb
Checksums-Sha256:
a0ebfdbd37c2b4bf79fec818d4d3f74ca917b6003529313aefd71a6eaa0550e7 2172
asterisk_1.6.2.9-2+squeeze1.dsc
109a8f29bd08844d9310435fb944908e6ada60e36917f2a3ed800c266a08bc1c 23607389
asterisk_1.6.2.9.orig.tar.gz
b19bb31debc705e95adc292013612a24cf3c2268f047000e2ce19d217f3b381b 71289
asterisk_1.6.2.9-2+squeeze1.debian.tar.gz
82d1a13cf734cf3297742a0b5d10bda55c2ab64c7f89df54bdfab7bb226156ab 1682432
asterisk-doc_1.6.2.9-2+squeeze1_all.deb
581571d2e10754116ce72f071ddde4f64ec7714a43a39dc9e38ba54c3a87d4bb 632344
asterisk-dev_1.6.2.9-2+squeeze1_all.deb
d1e47279a18d166ce5419c9779a15aa3a6a6dad0521ed25db695e10bdf49557e 2182364
asterisk-sounds-main_1.6.2.9-2+squeeze1_all.deb
93ee4997dde8d9439c94bcae68a012e831c48c0a7dc8eb6b5dd5c51fa9ff0495 710336
asterisk-config_1.6.2.9-2+squeeze1_all.deb
d6b50462f6ec930bf5971df64d1def2b23b8771ec7cb3f18c61e9ef73e60fa0a 3318020
asterisk_1.6.2.9-2+squeeze1_i386.deb
3d0c45604a326cde8cf0042c7fc3d3725d4dcf0a8afae1120f5f8fb478d719b6 527270
asterisk-h323_1.6.2.9-2+squeeze1_i386.deb
bb4f781e7cdd11f1d937bcf522868ae73287b27643cd956c63f3261b0f76869e 20294860
asterisk-dbg_1.6.2.9-2+squeeze1_i386.deb
Files:
b97ed6c5d757528b31a9627fb6feb225 2172 comm optional
asterisk_1.6.2.9-2+squeeze1.dsc
1f947d951c419b8039d53a6e6168fd69 23607389 comm optional
asterisk_1.6.2.9.orig.tar.gz
83c8829a2a5d8ea8a0bf2da71dedeaba 71289 comm optional
asterisk_1.6.2.9-2+squeeze1.debian.tar.gz
5d1761d183f029263d92e8328530fd3f 1682432 doc extra
asterisk-doc_1.6.2.9-2+squeeze1_all.deb
7b457152562d1dfc0c33a114736e2069 632344 devel extra
asterisk-dev_1.6.2.9-2+squeeze1_all.deb
b3ba90c027f21c3ace0ce071d161b7fc 2182364 comm optional
asterisk-sounds-main_1.6.2.9-2+squeeze1_all.deb
f11b309f5e5e4513abc7fa04f6139929 710336 comm optional
asterisk-config_1.6.2.9-2+squeeze1_all.deb
f58c0cb0fc9e3b37f94e966f05618a73 3318020 comm optional
asterisk_1.6.2.9-2+squeeze1_i386.deb
ccce18515d375aab7c7742dbadc4bc09 527270 comm optional
asterisk-h323_1.6.2.9-2+squeeze1_i386.deb
930610804673118892826a09ac5c9236 20294860 debug extra
asterisk-dbg_1.6.2.9-2+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk1UZZoACgkQVty5d8XpUzOGqwCfb4YgfOYYMpIlkM3r376T6hKr
VLwAnRwL3+m5orEgFNKOmO+e2MKv2tbs
=zlWt
-----END PGP SIGNATURE-----
--- End Message ---
