On Tue, Jan 08, 2013 at 06:49:56PM +0100, Moritz Mühlenhoff wrote: > On Tue, Jan 08, 2013 at 02:45:59AM +0200, Tzafrir Cohen wrote: > > Hi, > > > > On Wed, Jan 02, 2013 at 10:56:43PM +0100, Salvatore Bonaccorso wrote: > > > Package: asterisk > > > Severity: grave > > > Tags: security > > > Justification: user security hole > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA512 > > > > > > Hi, > > > > > > the following vulnerabilities were published for asterisk. > > > > > > CVE-2012-5976[0]: > > > Crashes due to large stack allocations when using TCP > > > > > > CVE-2012-5977[1]: > > > Denial of Service Through Exploitation of Device State Caching > > > > > > If you fix the vulnerabilities please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > > > For further information see: > > > > > > [0] http://security-tracker.debian.org/tracker/CVE-2012-5976 > > > [1] http://security-tracker.debian.org/tracker/CVE-2012-5977 > > > > > > Please adjust the affected versions in the BTS as needed. > > > > > > According to the advisories all 1.8.x versions seems affected. > > > > Likewise is version 1.6.2 from Stable. I have fixes ready. > > Ok, please upload to security-master once tests are sufficient.
Uploaded. > > > On a side note, I'm not sure why > > https://security-tracker.debian.org/tracker/CVE-2011-2666 is listed as > > open. The respective bug has been closed: > > As I mentioned before, I can change the default for alwaysauthreject, > > I'm just not sure this should be done on a Stable package. > > It's marked as > > [squeeze] - asterisk <no-dsa> (minor issue; can be addressed through > configuration) > > The tracker is correct in so far, that this isn't fixed in squeeze through > a code fix. If you provide a short text what people need to modify in their > config we can add it to the DSA text and use this as the "fix" for stable. Here goes: CVE-2011-2666 (AST-2011-011) is an advisory that containd two parts: It is gnerally useful security-wise to provide the same answer upon authntication whether or not the authntication failed due to a missing bad username or a bad password (to prever enumerating existing users). Asterisk has a setting called 'alwaysauthreject' in sip.conf to do that, but up until 1.8 its value has defaulted to "no" (different answer). The patch of CVE-2011-2666 fixed a case that even with this set to yes, the response is different. This was fixed in 1.6.2.9-2+squeeze3 . However in order to avoid breaking backward compatibility the default has remained the same. Upstream developers strongly recommend that users set 'alwaysauthreject=yes' in the section '[general]' of sip.conf. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
