Public bug reported: Binary package hint: asterisk
References: http://www.debian.org/security/2007/dsa-1417 Quoting DSA-1417-1: "Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit performs insufficient sanitising of call-related data, which may lead to SQL injection." Quoting CVE-2007-6170: "SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments." ** Affects: asterisk (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-6170 -- [asterisk] missing input sanitising https://bugs.launchpad.net/bugs/173610 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
