Massimiliano Toce, Per the advisory I believe this issue is resolved in asterisk 1.4.x
debian unstable currently has version 1.4.9 so the bug should be resolved. We have a backported version of 1.4.9 available from http://buildserver.net/ Mark On Mon, 6 Aug 2007, you wrote: > I have installed asterisk version 1:1.2.13~dfsg-2 ( > http://packages.debian.org/stable/comm/asterisk) and the problem seems to > remain, asterisk crashes when receives a REGISTER packet with no Request-URI > and no SIP-Version. > > regards, > Massimiliano Toce > > > 2007/8/3, Debian Bug Tracking System <[EMAIL PROTECTED]>: > > > > This is an automatic notification regarding your Bug report > > #435521: Asterisk SIP DOS Vulnerability, > > which was filed against the asterisk package. > > > > It has been closed by Mark Purcell < [EMAIL PROTECTED]>. > > > > Their explanation is attached below. If this explanation is > > unsatisfactory and you have not received a better one in a separate > > message then please contact Mark Purcell < [EMAIL PROTECTED]> by replying > > to this email. > > > > Debian bug tracking system administrator > > (administrator, Debian Bugs database) > > > > > > > > ---------- Messaggio inoltrato ---------- > > From: Mark Purcell < [EMAIL PROTECTED]> > > To: Massimiliano Toce <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > > > > Date: Fri, 3 Aug 2007 17:48:16 +0100 > > Subject: Re: Bug#435521: Asterisk SIP DOS Vulnerability > > Version: 1:1.4.2~dfsg-1 > > > > The advisory stated this issue is resolved in version 1.4.1 and later. > > > > It would be useful if you could confirm using S.T.R.E.S.S that the > > version in debian unstable does indeed have this issue resolved. > > > > Mark > > > > > > On Wed, 1 Aug 2007, Massimiliano Toce wrote: > > > Package: asterisk > > > Version: 1:1.2.13~dfsg-2 > > > Severity: critical > > > Tags: security > > > > > > Asterisk crashes when handles a REGISTER message with no URI and no > > > SIP-Version. See http://labs.musecurity.com/advisories/MU-200703-01.txt > > for > > > more details. > > > > > > We found it using S.T.R.E.S.S.: a software for security testing > > > (http://lart.det.unifi.it/Members/rosi/stress > > > ). We are using Debian GNU/Linux 4.0, kernel 2.6.18-4-686. > > > > > > regards, > > > Massimiliano Toce, Leonardo Maccari, Matteo Rosi > > > > > > > > > > > >
signature.asc
Description: This is a digitally signed message part.