On Sat, Aug 01, 2009 at 10:57:33AM +0200, Giuseppe Iuculano wrote:
> Package: asterisk
> Version: 1:1.6.2.0~dfsg~beta3-1
> Severity: serious
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for asterisk.
>
> CVE-2009-2651[0]:
> | main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote
> | attackers to cause a denial of service (crash) via an RTP text frame
> | without a certain delimiter, which triggers a NULL pointer dereference
> | and the subsequent calculation of an invalid pointer.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2651
> http://security-tracker.debian.net/tracker/CVE-2009-2651
> http://downloads.asterisk.org/pub/security/AST-2009-004.html
> Patch:
> http://downloads.asterisk.org/pub/security/AST-2009-004-1.6.1.diff.txt
Asterisk maintainers, what should be done about stable? Would it
make sense to update the stable version to 1.4.26.2 in a point update?
(IIRC there's still a performance regression affecting Lenny from
a previous security update?)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
