Security Information / 2011 / Security Information -- DSA-2225-1 asterisk

Debian Security Advisory

DSA-2225-1 asterisk -- several vulnerabilities

Date Reported:

25 Apr 2011

Affected Packages:

asterisk

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2011-1147, CVE-2011-1174, CVE-2011-1175, CVE-2011-1507, CVE-2011-1599.

More information:

Several vulnerabilities have been discovered in Asterisk, an Open Source PBX and telephony toolkit.

• CVE-2011-1147

  Matthew Nicholson discovered that incorrect handling of UDPTL packets may lead to denial of service or the execution of arbitrary code.

• CVE-2011-1174

  Blake Cornell discovered that incorrect connection handling in the manager interface may lead to denial of service.

• CVE-2011-1175

  Blake Cornell and Chris May discovered that incorrect TCP connection handling may lead to denial of service.

• CVE-2011-1507

  Tzafrir Cohen discovered that insufficient limitation of connection requests in several TCP based services may lead to denial of service. Please see AST-2011-005 for details.

• CVE-2011-1599

  Matthew Nicholson discovered a privilege escalation vulnerability in the manager interface.

For the oldstable distribution (lenny), this problem has been fixed in version 1:1.4.21.2~dfsg-3+lenny2.1.

For the stable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze2.

For the unstable distribution (sid), this problem has been fixed in version 1:1.8.3.3-1.

We recommend that you upgrade your asterisk packages.