On Fri, Jun 06, 2008 at 04:27:01PM +0200, Nico Golde wrote: > Package: asterisk-oh323 > Severity: grave > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for asterisk-oh323.
Nope: it's for asterisk-ooh323c from asterisk-addons. Included in Lenny, not included in Etch. A new version has already been uploaded yesterday by Faidon. > > > CVE-2008-2543[0]: > | The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and > | Asterisk-Addons 1.4.x before 1.4.7 creates a remotely accessible TCP > | port that is intended solely for localhost communication, and > | interprets some TCP application-data fields as addresses of memory to > | free, which allows remote attackers to cause a denial of service > | (daemon crash) via crafted TCP packets. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > http://svn.digium.com/view/asterisk-addons?view=rev&revision=620 > is the patch upstream applied to fix this issue. However the > version in Debian has a completely different codebase and > without having more knowledge about asterisk it is (at least > for me) not possible to judge if the version in Debian is > affected by this or not. I also have no asterisk setup to > test this. > > Please check back with upstream and/or test this with a > local installation. For now I marked it as unfixed in the > tracker. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2543 > http://security-tracker.debian.net/tracker/CVE-2008-2543 > > -- > Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF > For security reasons, all text in this mail is double-rot13 encrypted. > _______________________________________________ > Pkg-voip-maintainers mailing list > [EMAIL PROTECTED] > http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]