Package: asterisk Version: 1:1.6.2.9-2+squeeze2 Justification: user security hole Severity: grave Tags: security upstream patch
The 'system' write privilege is required for Asterisk Manager Interface actions that may result in aexecution of an arbitrary shell command. However: * This was not properly tested for asynchronous events * A previous fix of the logic of this test was not applied in the Squeeze version. Upstream also applied a similar fix in 1.4 but 1.4 (e.g. the version in Lenny) did not include the test for the 'system' write permission in the first place and hence such a fix can break existing systems. Also note that access to the Manager Interface requires authentication. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
