That's AST-2009-005[1], which mentions: > Note that while this potential vulnerability has existed in Asterisk for > a very long time, it is only potentially exploitable in 1.6.1 and above, > since those versions are the first that have allowed SIP packets to > exceed 1500 bytes total, which does not permit strings that are large > enough to crash Asterisk. (The number strings presented to us by the > security researcher were approximately 32,000 bytes long.) > > Additionally note that while this can crash Asterisk, execution of > arbitrary code is not possible with this vector. Hence, I don't think it warrants a security update for stable/oldstable.
Unstable is vulnerable though, I'll prepare a fix. Regards, Faidon 1: http://downloads.asterisk.org/pub/security/AST-2009-005.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
