Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0516 -- [Debian]
New Asterisk packages fix denial of service
28 July 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: asterisk
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-2898
Ref: AA-2006.0048
Original Bulletin: http://www.debian.org/security/2006/dsa-1126
http://www.asterisk.org/node/95
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1126-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 27th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : asterisk
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2006-2898
BugTraq ID : 18295
A problem has been discovered in the IAX2 channel driver of Asterisk,
an Open Source Private Branch Exchange and telephony toolkit, which
may allow a remote to cause au crash of the Asterisk server.
The old stable distribution (woody) is not affected by this problem.
For the stable distribution (sarge) this problem has been fixed in
version 1.0.7.dfsg.1-2sarge3.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your asterisk packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3.dsc
Size/MD5 checksum: 1259 cee8373afe6f44b36ea61e04d63b67ca
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3.diff.gz
Size/MD5 checksum: 70172 5510f5699aee64b06f8d8db4e62ca275
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz
Size/MD5 checksum: 2929488 0d0f718ccd7a06ab998c3f637df294c0
Architecture independent components:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge3_all.deb
Size/MD5 checksum: 61532 58e631534a5c34740dce182177a3e16b
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge3_all.deb
Size/MD5 checksum: 83300 92e5c344ae1022fbb8264dfeda02d2c2
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge3_all.deb
Size/MD5 checksum: 1577638 796103a2c2152b1da96ee557845c4ea0
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge3_all.deb
Size/MD5 checksum: 1180198 3ffd1657b6ae3824d849107288bfd393
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge3_all.deb
Size/MD5 checksum: 28290 bd1dca8dcf7dbe19614415d83454534b
Alpha architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_alpha.deb
Size/MD5 checksum: 1477586 e6f5a94ca3b89eb61f2b7cba32532b0f
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_alpha.deb
Size/MD5 checksum: 31326 76c73e029c258daab79db1c3e2fe87f9
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_alpha.deb
Size/MD5 checksum: 21354 4f86990f289a85e40b07b83a1bfbbaeb
AMD64 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_amd64.deb
Size/MD5 checksum: 1333258 39d6b98db096bcf6fa4db45bc578450a
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_amd64.deb
Size/MD5 checksum: 30738 1b542c9cf1701f3c74250135989a53fc
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_amd64.deb
Size/MD5 checksum: 21348 162f687406dd17fba17f059310e9669b
ARM architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_arm.deb
Size/MD5 checksum: 1262736 d88b5f4a1d7a1429f8ffd48da9f46816
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_arm.deb
Size/MD5 checksum: 29466 d24a9a1f6f57b1b1b4f5eb3ecb44a70f
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_arm.deb
Size/MD5 checksum: 21356 440be66143a663f0698e0236fd92e164
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_i386.deb
Size/MD5 checksum: 1171422 49ba67f54d8a1bdd331e5f383a0c260f
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_i386.deb
Size/MD5 checksum: 29758 6125fda845413e5785dbd5d7c679a392
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_i386.deb
Size/MD5 checksum: 21354 f258d72d58eb640660e0efac297edc5f
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_ia64.deb
Size/MD5 checksum: 1771180 cc15c68a1a3551f3c6a3db01572fb872
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_ia64.deb
Size/MD5 checksum: 32880 683dca0a82cadc16ad38c0c65fce4763
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_ia64.deb
Size/MD5 checksum: 21354 9d3caf73141a753723050a52c7109047
HP Precision architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_hppa.deb
Size/MD5 checksum: 1448108 4e2074b1ca5ba9dffdda252e0a829ee4
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_hppa.deb
Size/MD5 checksum: 31384 3f5a1bd65ee55389445b0487eac8c368
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_hppa.deb
Size/MD5 checksum: 21352 ce35dfb46609b19f617472396e552e72
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_m68k.deb
Size/MD5 checksum: 1184680 3f73cbf0c391fc41c04d67cfe29e0001
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_m68k.deb
Size/MD5 checksum: 30130 4e7f290a74e7b682073718e8edc1cc8a
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_m68k.deb
Size/MD5 checksum: 21356 62ce31ac95d033e589f42a015fddf66b
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_mips.deb
Size/MD5 checksum: 1263882 52bca4c81f91b8eecb6e557a769e8d64
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_mips.deb
Size/MD5 checksum: 29342 b9d7659f65d8a4d6f9fad86073a72b9f
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_mips.deb
Size/MD5 checksum: 21354 0a69634f046b529d1b72d49746a138b2
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_mipsel.deb
Size/MD5 checksum: 1270240 2aa0c58b551845a4a2a5b07b4660432c
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_mipsel.deb
Size/MD5 checksum: 29276 b3e996a206805436b280aa1c7468a311
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_mipsel.deb
Size/MD5 checksum: 21356 845710e845334fe95bd53b34259fecf3
PowerPC architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_powerpc.deb
Size/MD5 checksum: 1425078 29e124b6584659daf5ae62400961b065
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_powerpc.deb
Size/MD5 checksum: 31080 409b172a4b64d79765a9b481c25c43c7
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_powerpc.deb
Size/MD5 checksum: 21356 09f7bab0bc72f03ff52a7ad77614ffd8
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_s390.deb
Size/MD5 checksum: 1312432 de1a22506fd0d5e30be34db44095fc77
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_s390.deb
Size/MD5 checksum: 30762 ade33ddd646fca9653a31598df8aa9ce
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_s390.deb
Size/MD5 checksum: 21354 63662843c514334226737f60d1b5cab6
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge3_sparc.deb
Size/MD5 checksum: 1274188 3aa3d901a56583bd0ef815761e9bf34d
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge3_sparc.deb
Size/MD5 checksum: 29728 71656321b8a63a875d56edb760cbf385
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge3_sparc.deb
Size/MD5 checksum: 21350 f96215e4d19ef628a057a8e6dbe9716f
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEyF30W5ql+IAeqTIRAt5iAJ9her05bPSniUNcdqt59KAEPyWm8QCfRrLj
otLHweSY1Rj4tweUJV4e1Rs=
=pbKB
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRMlvSCh9+71yA2DNAQL9NQP+NMNMJkBfF4tcnHk7ZMlokvBEejAJUau6
qYnfdQiw9LaAEfH7mszw4+1O92p3BxQIDr8GnLtQDJPmOTedtLkl309libXSASOa
QY3ed+wt3sOHY3Cji2rrIMmh6kNTsC78VpyAL3gA6wWVC1lgZ/z1LK0RRYWFtNO2
gHplkdCygLk=
=iH/V
-----END PGP SIGNATURE-----