Florian Weimer | 12 Jun 21:38 2012

[SECURITY] [DSA 2493-1] asterisk security update

Debian Security Advisory DSA-2493-1                   security <at> debian.org
http://www.debian.org/security/                            Florian Weimer
June 12, 2012                          http://www.debian.org/security/faq

Package        : asterisk
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2947 CVE-2012-2948
Debian Bug     : 675204 675210

Several vulnerabilities were discovered in Asterisk, a PBX and
telephony toolkit.

	The IAX2 channel driver allows remote attackers to cause a
	denial of service (daemon crash) by placing a call on hold
	(when a certain mohinterpret setting is enabled).

	The Skinny channel driver allows remote authenticated users to
	cause a denial of service (NULL pointer dereference and daemon
	crash) by closing a connection in off-hook mode.

In addition, it was discovered that Asterisk does not set the
alwaysauthreject option by default in the SIP channel driver.  This
allows remote attackers to observe a difference in response behavior
(Continue reading)