Debian Security Advisory
DSA-2225-1 asterisk -- several vulnerabilities
- Date Reported:
- 25 Apr 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-1147, CVE-2011-1174, CVE-2011-1175, CVE-2011-1507, CVE-2011-1599.
- More information:
Several vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit.
Matthew Nicholson discovered that incorrect handling of UDPTL packets may lead to denial of service or the execution of arbitrary code.
Blake Cornell discovered that incorrect connection handling in the manager interface may lead to denial of service.
Blake Cornell and Chris May discovered that incorrect TCP connection handling may lead to denial of service.
Tzafrir Cohen discovered that insufficient limitation of connection requests in several TCP based services may lead to denial of service. Please see AST-2011-005 for details.
Matthew Nicholson discovered a privilege escalation vulnerability in the manager interface.
For the oldstable distribution (lenny), this problem has been fixed in version 1:18.104.22.168~dfsg-3+lenny2.1.
For the stable distribution (squeeze), this problem has been fixed in version 1:22.214.171.124-2+squeeze2.
For the unstable distribution (sid), this problem has been fixed in version 1:126.96.36.199-1.
We recommend that you upgrade your asterisk packages.