CVE-2011-0495: AST-2011-001: Asterisk: Stack based buffer overflow by forming an outgoing SIP request with specially-crafted caller ID information
Bug #705014 reported by
Darik Horn
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
asterisk (Debian) |
Fix Released
|
Unknown
|
|||
asterisk (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Hardy |
Won't Fix
|
Medium
|
Unassigned | ||
Karmic |
Won't Fix
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned | ||
Maverick |
Fix Released
|
Medium
|
Unassigned | ||
Natty |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: asterisk
All of the Asterisk packages in Ubuntu need to be patched for AST-2011-001, which is tentatively CVE-2011-0495.
See: http://
Although Asterisk in currently in the universe repository, it would nevertheless be appreciated to get the security fix. Debian already has the fix pending in their pkg-voip tree.
Related branches
lp:~davewalker/ubuntu/natty/asterisk/lp_705014
Ready for review
for merging
into
lp:ubuntu/natty/asterisk
- Jamie Strandboge: Approve
-
Diff: 1987 lines (+1909/-15)8 files modified.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/AST-2011-001-1.6.2/main/utils.c (+1828/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+10/-0)
debian/patches/AST-2011-001-1.6.2 (+52/-0)
debian/patches/series (+2/-0)
main/utils.c (+14/-15)
lp:~davewalker/ubuntu/lucid/asterisk/lp_705014
Ready for review
for merging
into
lp:ubuntu/lucid-proposed/asterisk
- Jamie Strandboge: Approve
-
Diff: 1986 lines (+1908/-15)8 files modified.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/AST-2011-001-1.6.2/main/utils.c (+1828/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+10/-0)
debian/patches/AST-2011-001-1.6.2 (+52/-0)
debian/patches/series (+1/-0)
main/utils.c (+14/-15)
Superseded
for merging
into
lp:ubuntu/lucid/asterisk
- Jamie Strandboge: Disapprove
-
Diff: 4314 lines (+4076/-31)18 files modified.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/AST-2011-001-1.6.2/main/utils.c (+1828/-0)
.pc/applied-patches (+3/-0)
.pc/dnsmgr-A-SRV-handling/include/asterisk/dnsmgr.h (+105/-0)
.pc/dnsmgr-A-SRV-handling/main/acl.c (+541/-0)
.pc/dnsmgr-A-SRV-handling/main/dnsmgr.c (+439/-0)
.pc/unattended_fix/channels/chan_local.c (+885/-0)
channels/chan_local.c (+4/-3)
debian/changelog (+27/-0)
debian/patches/AST-2011-001-1.6.2 (+52/-0)
debian/patches/dnsmgr-A-SRV-handling (+132/-0)
debian/patches/series (+3/-0)
debian/patches/unattended_fix (+18/-0)
include/asterisk/dnsmgr.h (+4/-3)
main/acl.c (+1/-0)
main/dnsmgr.c (+18/-10)
main/utils.c (+14/-15)
lp:~davewalker/ubuntu/maverick/asterisk/lp_705014
Ready for review
for merging
into
lp:ubuntu/maverick/asterisk
- Jamie Strandboge: Approve
-
Diff: 1986 lines (+1908/-15)8 files modified.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/AST-2011-001-1.6.2/main/utils.c (+1828/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+10/-0)
debian/patches/AST-2011-001-1.6.2 (+52/-0)
debian/patches/series (+1/-0)
main/utils.c (+14/-15)
CVE References
visibility: | private → public |
summary: |
- CVS-2011-0495: AST-2011-001: Asterisk: Stack based buffer overflow by + CVE-2011-0495: AST-2011-001: Asterisk: Stack based buffer overflow by forming an outgoing SIP request with specially-crafted caller ID information |
description: | updated |
Changed in asterisk (Ubuntu): | |
status: | New → Confirmed |
Changed in asterisk (Debian): | |
status: | Unknown → Confirmed |
Changed in asterisk (Ubuntu Hardy): | |
status: | Confirmed → Triaged |
Changed in asterisk (Ubuntu Karmic): | |
status: | Confirmed → Triaged |
Changed in asterisk (Debian): | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
Slightly on topic, do you mind outputting the bzr commands you used to branch from lp:ubuntu/asterisk to lp:~davewalker/ubuntu/natty/asterisk/lp_705014? I started work patches this morning, but got bogged down in bzr.
Additionally, it don't look like we have an up-to-date branch for asterisk packages using bzr-buildpackage, unless I'm missing something.