Asterisk Security Team
2012-Jan-19 17:40 UTC
[asterisk-users] AST-2012-001: SRTP Video Remote Crash Vulnerability
Asterisk Project Security Advisory - AST-2012-001
+------------------------------------------------------------------------+
| Product | Asterisk |
|----------------------+-------------------------------------------------|
| Summary | SRTP Video Remote Crash Vulnerability |
|----------------------+-------------------------------------------------|
| Nature of Advisory | Denial of Service |
|----------------------+-------------------------------------------------|
| Susceptibility | Remote unauthenticated sessions |
|----------------------+-------------------------------------------------|
| Severity | Moderate |
|----------------------+-------------------------------------------------|
| Exploits Known | No |
|----------------------+-------------------------------------------------|
| Reported On | 2012-01-15 |
|----------------------+-------------------------------------------------|
| Reported By | Catalin Sanda |
|----------------------+-------------------------------------------------|
| Posted On | 2012-01-19 |
|----------------------+-------------------------------------------------|
| Last Updated On | January 19, 2012 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Joshua Colp < jcolp AT digium DOT com >
|
|----------------------+-------------------------------------------------|
| CVE Name | |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Description | An attacker attempting to negotiate a secure video |
| | stream can crash Asterisk if video support has not been |
| | enabled and the res_srtp Asterisk module is loaded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | Upgrade to one of the versions of Asterisk listed in the |
| | "Corrected In" section, or apply a patch specified
in the |
| | "Patches" section.
|
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.8.x | All versions |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 10.x | All versions |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Corrected In |
|------------------------------------------------------------------------|
| Product | Release |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 1.8.8.2 |
|------------------------------------------+-----------------------------|
| Asterisk Open Source | 10.0.1 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Patches |
|------------------------------------------------------------------------|
| SVN URL |Branch|
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8 |
|-----------------------------------------------------------------+------|
|http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202 |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Asterisk Project Security Advisories are posted at |
| http://www.asterisk.org/security |
| |
| This document may be superseded by later versions; if so, the latest |
| version will be posted at |
| http://downloads.digium.com/pub/security/AST-2012-001.pdf and |
| http://downloads.digium.com/pub/security/AST-2012-001.html |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Revision History |
|------------------------------------------------------------------------|
| Date | Editor | Revisions Made |
|-----------------+--------------------+---------------------------------|
| 12-01-19 | Joshua Colp | Initial release |
+------------------------------------------------------------------------+
Asterisk Project Security Advisory - AST-2012-001
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Vladimir Mikhelson
2012-Jan-20 02:22 UTC
[asterisk-users] AST-2012-001: SRTP Video Remote Crash Vulnerability
It's funny. The link
Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202
Produces:
Permission Violation
It seems that you have tried to perform an operation which you are not
permitted to perform.
If you think this message is wrong, please consult your administrators
about getting the necessary permissions.
Bug tracking <http://www.atlassian.com/software/jira/bug-tracking.jsp>
and project tracking
<http://www.atlassian.com/software/jira/tour/project-tracking.jsp> for
software development
<http://www.atlassian.com/software/jira/tour/software-development.jsp>
powered by Atlassian JIRA <http://www.atlassian.com/software/jira>
(v4.2.4-b591#591) | Report a problem
<http://support.atlassian.com/secure/CreateIssue.jspa?issuetype=1&pid=10000>
On 1/19/2012 5:40 PM, Asterisk Security Team wrote:> Asterisk Project Security Advisory - AST-2012-001
>
>
+------------------------------------------------------------------------+
> | Product | Asterisk
|
>
|----------------------+-------------------------------------------------|
> | Summary | SRTP Video Remote Crash Vulnerability
|
>
|----------------------+-------------------------------------------------|
> | Nature of Advisory | Denial of Service
|
>
|----------------------+-------------------------------------------------|
> | Susceptibility | Remote unauthenticated sessions
|
>
|----------------------+-------------------------------------------------|
> | Severity | Moderate
|
>
|----------------------+-------------------------------------------------|
> | Exploits Known | No
|
>
|----------------------+-------------------------------------------------|
> | Reported On | 2012-01-15
|
>
|----------------------+-------------------------------------------------|
> | Reported By | Catalin Sanda
|
>
|----------------------+-------------------------------------------------|
> | Posted On | 2012-01-19
|
>
|----------------------+-------------------------------------------------|
> | Last Updated On | January 19, 2012
|
>
|----------------------+-------------------------------------------------|
> | Advisory Contact | Joshua Colp < jcolp AT digium DOT com >
|
>
|----------------------+-------------------------------------------------|
> | CVE Name |
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Description | An attacker attempting to negotiate a secure video
|
> | | stream can crash Asterisk if video support has not been
|
> | | enabled and the res_srtp Asterisk module is loaded.
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Resolution | Upgrade to one of the versions of Asterisk listed in the
|
> | | "Corrected In" section, or apply a patch
specified in the |
> | | "Patches" section.
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Affected Versions
|
>
|------------------------------------------------------------------------|
> | Product | Release Series |
|
>
|-------------------------------+----------------+-----------------------|
> | Asterisk Open Source | 1.8.x | All versions
|
>
|-------------------------------+----------------+-----------------------|
> | Asterisk Open Source | 10.x | All versions
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Corrected In
|
>
|------------------------------------------------------------------------|
> | Product | Release
|
>
|------------------------------------------+-----------------------------|
> | Asterisk Open Source | 1.8.8.2
|
>
|------------------------------------------+-----------------------------|
> | Asterisk Open Source | 10.0.1
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Patches
|
>
|------------------------------------------------------------------------|
> | SVN URL
|Branch|
>
|-----------------------------------------------------------------+------|
> |http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8
|
>
|-----------------------------------------------------------------+------|
> |http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff |v10
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Links | https://issues.asterisk.org/jira/browse/ASTERISK-19202
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Asterisk Project Security Advisories are posted at
|
> | http://www.asterisk.org/security
|
> |
|
> | This document may be superseded by later versions; if so, the latest
|
> | version will be posted at
|
> | http://downloads.digium.com/pub/security/AST-2012-001.pdf and
|
> | http://downloads.digium.com/pub/security/AST-2012-001.html
|
>
+------------------------------------------------------------------------+
>
>
+------------------------------------------------------------------------+
> | Revision History
|
>
|------------------------------------------------------------------------|
> | Date | Editor | Revisions Made
|
>
|-----------------+--------------------+---------------------------------|
> | 12-01-19 | Joshua Colp | Initial release
|
>
+------------------------------------------------------------------------+
>
> Asterisk Project Security Advisory - AST-2012-001
> Copyright (c) 2012 Digium, Inc. All Rights Reserved.
> Permission is hereby granted to distribute and publish this advisory in
its
> original, unaltered form.
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20120119/f2be5859/attachment-0001.htm>