On Mon, Dec 15, 2014 at 09:26:41PM +0100, Salvatore Bonaccorso wrote:
> Source: asterisk
> Version: 1:11.13.0~dfsg-1
> Severity: important
> Tags: security upstream fixed-upstream
> 
> Hi,
> 
> the following vulnerability was published for asterisk.
> 
> CVE-2014-9374[0]:
> | Double free vulnerability in the WebSocket Server (res_http_websocket
> | module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2,
> | and 13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9
> | allows remote attackers to cause a denial of service (crash) by sending
> | a zero length frame after a non-zero length frame.
> 
> No description was found (try on a search engine)
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2014-9374

Upstream's page:
http://downloads.asterisk.org/pub/security/AST-2014-019.html

1.8 doesn't have websocket support and thus is not vulnrable.

Patches for this and the previous issues is now finally commited to git
(branch wheezy). Sadly I'll have to use t-p-u as Unstable has a Asterisk
13 due to my miscalculation.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.co...@xorcom.com
+972-50-7952406           mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to