Just saw this come across the debian bug list. Can anyone comment?
How does this affect those of us not running Debian installs? I see
it seems it even affects 1.2.7 versions (According to Debian)
Several problems have been discovered in Asterisk, an Open Source
Private Branch Exchange (telephone control center). The Common
Vulnerabilities and Exposures project identifies the following
problems:
CVE-2005-3559
Adam Pointon discovered that due to missing input sanitising it is
possible to retrieve recorded phone messages for a different
extension.
CVE-2006-1827
Emmanouel Kellinis discovered an integer signedness error that
could trigger a buffer overflow and hence allow the execution of
arbitrary code.
For the old stable distribution (woody) this problem has been fixed in
version 0.1.11-3woody1.
For the stable distribution (sarge) this problem has been fixed in
version 1.0.7.dfsg.1-2sarge2.
For the unstable distribution (sid) this problem has been fixed in
version 1.2.7.1.dfsg-1.
We recommend that you upgrade your asterisk package.