On Thursday 23 June 2005 10:38, Moritz Muehlenhoff wrote: > | If the command string is specifically crafted, is it possible to use > | this stack overflow to execute arbitrary code on the Asterisk system. > | The resulting execution is (typically) run with root privileges.
Upstream the asterisk package is run as root. By default the Debian GNU/Linux package of asterisk is run as user asterisk with limited privs, thus the severity of this exploit is not as extreme. In addition by default the Debian/GNU linux version of asterisk does not start the CLI interface by default. Still the patch should go into sarge, via the security team. Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]