[asterisk] [CVE-2007-6170] missing input sanitising
Bug #173610 reported by
disabled.user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
asterisk (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Dapper |
Won't Fix
|
High
|
Unassigned | ||
Edgy |
Won't Fix
|
High
|
Unassigned | ||
Feisty |
Won't Fix
|
High
|
Unassigned | ||
Gutsy |
Won't Fix
|
High
|
Unassigned | ||
Hardy |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: asterisk
References:
http://
Quoting DSA-1417-1:
"Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit performs insufficient sanitising of call-related data, which may lead to SQL injection."
Quoting CVE-2007-6170:
"SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments."
CVE References
Changed in asterisk: | |
assignee: | nobody → emgent |
importance: | Undecided → High |
status: | New → In Progress |
assignee: | emgent → nobody |
Changed in asterisk: | |
status: | Confirmed → Won't Fix |
Changed in asterisk (Ubuntu Dapper): | |
status: | Confirmed → Won't Fix |
To post a comment you must log in.
Thanks for the report! I'm flipping to "Confirmed" until there is a debdiff available.