*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: asterisk References: DSA-1525-1 (http://www.debian.org/security/2008/dsa-1525) (Note: CVE-2007-6430 has already been reported as Bug#199118, but is still open for all stable releases.) Quoting: "Several remote vulnerabilities have been discovered in Asterisk, a free software PBX and telephony toolkit. The Common Vulnerabilities and Exposures project identifies the following problems: * CVE-2007-6430 Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication. * CVE-2008-1332 Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls. * CVE-2008-1333 This update also fixes a format string vulnerability, which can only be triggered through configuration files under control of the local administrator. In later releases of Asterisk this issue is remotely exploitable and tracked as CVE-2008-1333." ** Affects: asterisk (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1332 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1333 -- [asterisk] several vulnerabilities https://bugs.launchpad.net/bugs/210124 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
