Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0447 -- [Debian] New asterisk packages fix denial of service 1 May 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: asterisk Publisher: Debian Operating System: Debian GNU/Linux Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2008-1897 Ref: ESB-2008.0415 Original Bulletin: http://www.debian.org/security/2008/dsa-1563 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1563-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff April 30, 2008 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Package : asterisk Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1897 Joel R. Voss discovered that the IAX2 module of Asterisk, a free software PBX and telephony toolkit performs insufficient validation of IAX2 protocol messages, which may lead to denial of service. For the stable distribution (etch), this problem has been fixed in version 1.2.13~dfsg-2etch4. For the unstable distribution (sid), this problem has been fixed in version 1.4.19.1~dfsg-1. We recommend that you upgrade your asterisk packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch4.dsc Size/MD5 checksum: 1488 5f5e9573d490427c5a69a10aa97f158b http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz Size/MD5 checksum: 3835589 f8ee088b2e4feffe2b35d78079f90b69 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch4.diff.gz Size/MD5 checksum: 183285 26bd25ccb154a4ad32980d943b986b77 Architecture independent packages: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.2.13~dfsg-2etch4_all.deb Size/MD5 checksum: 1500302 8bdb0c668d19cfa10a1a21e18b404abf http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-2etch4_all.deb Size/MD5 checksum: 73970 b58221f4979cc030855181025a912e88 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.2.13~dfsg-2etch4_all.deb Size/MD5 checksum: 131882 4e51e2e9df2c8815b7f73de4366d1226 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-2etch4_all.deb Size/MD5 checksum: 1504806 aba4a61bee8550ce08491ca99e20daed http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch4_all.deb Size/MD5 checksum: 146714 8b47af29382b0fd93ba9276c6d130a9b http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.2.13~dfsg-2etch4_all.deb Size/MD5 checksum: 170154 6db4874707b5e4bcaac7daf6d8f52c2b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_alpha.deb Size/MD5 checksum: 1902278 7f85e13bc5fcbe4e97b1c38cda233dac http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_alpha.deb Size/MD5 checksum: 137358 2b182763234ee7c8ad32eb88ab1d7439 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_alpha.deb Size/MD5 checksum: 1938542 0e3d8bcf8c3d417d76dcec6d18c54aa8 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_amd64.deb Size/MD5 checksum: 133398 ed20b24f1a2f341bd6d4e028ce59a90c http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_amd64.deb Size/MD5 checksum: 1780430 8ce4d0f0065fbda1b8b6faf452aa8cf1 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_amd64.deb Size/MD5 checksum: 1745772 c7e3f3533bd980e6cf4fae76a7fe53a6 arm architecture (ARM) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_arm.deb Size/MD5 checksum: 1702038 c21d7d8f2a6a22340c6c532c52297238 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_arm.deb Size/MD5 checksum: 136578 e058fda61addca152ebcef309ed53db0 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_arm.deb Size/MD5 checksum: 1668554 be43593d0db307fff5d9233d99f8683d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_hppa.deb Size/MD5 checksum: 1859784 e01288aa37bf6d1021836e4750896192 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_hppa.deb Size/MD5 checksum: 1899426 4dca3a75e206580153fac43f4a16d9ac http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_hppa.deb Size/MD5 checksum: 145500 c349640da06db141cc1bdeae512426a2 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_i386.deb Size/MD5 checksum: 1650280 3de468a3ac7da9765b67a3637eaf0c8b http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_i386.deb Size/MD5 checksum: 1616900 cde58be5158607a6d55ffedf8f5f6b99 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_i386.deb Size/MD5 checksum: 131104 fe4e96f50604b2ce1b5c1ed2e80ee0e2 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_ia64.deb Size/MD5 checksum: 2349674 6fd62f264d405873e44ba0a08a58b719 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_ia64.deb Size/MD5 checksum: 149858 b9ab483687ffa690c90720ef1dce7a33 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_ia64.deb Size/MD5 checksum: 2395734 cfbb272cc6da385b4b144bd1a2877ec8 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_mips.deb Size/MD5 checksum: 130344 589d8d4e2341901d52cea2c7f7688368 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_mips.deb Size/MD5 checksum: 1688936 26b6d9c89013f575a8e12559fd525a99 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_mips.deb Size/MD5 checksum: 1720586 3a4ece7c7ca3dce1a7449bae6da3b468 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_mipsel.deb Size/MD5 checksum: 129852 65fa3add41986df9af5ae6da47ce754b http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_mipsel.deb Size/MD5 checksum: 1664436 06838223a31772f671cc5bd5063c0125 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_mipsel.deb Size/MD5 checksum: 1696490 ce4a77d18c64e90d0803730661b08f8c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_powerpc.deb Size/MD5 checksum: 1825754 da384bd468577fa5058ff4547e97fb1f http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_powerpc.deb Size/MD5 checksum: 133228 d05176705d1236ca9e039a05fd537f15 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_powerpc.deb Size/MD5 checksum: 1864110 d20124ef308de4354b5ab0d53f5d22a7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_s390.deb Size/MD5 checksum: 1744918 0ff79d065ecc670dd6a8b36f76654494 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_s390.deb Size/MD5 checksum: 136738 ebc38fa1031636449198da18f2542df7 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_s390.deb Size/MD5 checksum: 1780914 bc075c8673bc6a48d09d3872e9f1a4fd sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch4_sparc.deb Size/MD5 checksum: 1632652 7341c9d19478d655acaa94c3a36c3cd0 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch4_sparc.deb Size/MD5 checksum: 1664570 6824b18d4424ec863a96763bf90184b9 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch4_sparc.deb Size/MD5 checksum: 132348 1759eab6abaa0ab551bf722656d9debf These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIGK8SXm3vHE4uyloRAik3AKCC8MPmuqBfJLpRZbIvp6/i8DC2HgCfWm2W AE6e8I/eeqoGXgIo/hhu8TQ= =nW+x - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSBj9vih9+71yA2DNAQLONAP+JEgb2INKAqid7hLSVTlJMXZsYsYeQI29 ec1X88A4SLOV/dwhyB1QT0vCMta//+qdpuSnVRj/ydlA0DkBxx9jDQuChC0WSyab g8mjK/papveMLJO53/zdaljWKBTlXwuSfvIfcj9UHnJV6ApGmrgJ6yHAAiJq+QiD hz1iIBgMwu4= =jFTH -----END PGP SIGNATURE-----