Bug#435521: closed by Mark Purcell (Re: Bug#435521: Asterisk SIP DOS Vulnerability)

Mon, 06 Aug 2007 13:29:10 -0700 

Massimiliano Toce,

Per the advisory I believe this issue is resolved in asterisk 1.4.x

debian unstable currently has version 1.4.9 so the bug should be resolved.

We have a backported version of 1.4.9 available from http://buildserver.net/

Mark



On Mon, 6 Aug 2007, you wrote:
> I have installed asterisk version 1:1.2.13~dfsg-2 (
> http://packages.debian.org/stable/comm/asterisk) and the problem seems to
> remain, asterisk crashes when receives a REGISTER packet with no Request-URI
> and no SIP-Version.
> 
> regards,
> Massimiliano Toce
> 
> 
> 2007/8/3, Debian Bug Tracking System <[EMAIL PROTECTED]>:
> >
> > This is an automatic notification regarding your Bug report
> > #435521: Asterisk SIP DOS Vulnerability,
> > which was filed against the asterisk package.
> >
> > It has been closed by Mark Purcell < [EMAIL PROTECTED]>.
> >
> > Their explanation is attached below.  If this explanation is
> > unsatisfactory and you have not received a better one in a separate
> > message then please contact Mark Purcell < [EMAIL PROTECTED]> by replying
> > to this email.
> >
> > Debian bug tracking system administrator
> > (administrator, Debian Bugs database)
> >
> >
> >
> > ---------- Messaggio inoltrato ----------
> > From: Mark Purcell < [EMAIL PROTECTED]>
> > To: Massimiliano Toce <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> >
> > Date: Fri, 3 Aug 2007 17:48:16 +0100
> > Subject: Re: Bug#435521: Asterisk SIP DOS Vulnerability
> > Version: 1:1.4.2~dfsg-1
> >
> > The advisory stated this issue is resolved in version 1.4.1 and later.
> >
> > It would be useful if you could confirm using S.T.R.E.S.S that the
> > version in debian unstable does indeed have this issue resolved.
> >
> > Mark
> >
> >
> > On Wed, 1 Aug 2007, Massimiliano Toce wrote:
> > > Package: asterisk
> > > Version: 1:1.2.13~dfsg-2
> > > Severity: critical
> > > Tags: security
> > >
> > > Asterisk crashes when handles a REGISTER message with no URI and no
> > > SIP-Version. See http://labs.musecurity.com/advisories/MU-200703-01.txt
> > for
> > > more details.
> > >
> > > We found it using S.T.R.E.S.S.: a software for security testing
> > > (http://lart.det.unifi.it/Members/rosi/stress
> > > ). We are using Debian GNU/Linux 4.0, kernel 2.6.18-4-686.
> > >
> > > regards,
> > > Massimiliano Toce, Leonardo Maccari, Matteo Rosi
> >
> >
> >
> >
> >
> 
>

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to