John Goerzen
2012-Apr-02 18:38 UTC
[Secure-testing-team] Bug#666944: asterisk: Buffer overflow vulnerability
Package: asterisk Version: 1:1.6.2.9-2+squeeze4 Severity: grave Tags: security squeeze Justification: user security hole Per: http://downloads.asterisk.org/pub/security/AST-2012-002.txt the asterisk in squeeze is vulnerable to a buffer overflow. The package in testing may also be vulnerable to: http://downloads.asterisk.org/pub/security/AST-2012-003.txt -- System Information: Debian Release: 6.0.4 APT prefers stable APT policy: (990, ''stable'') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages asterisk depends on: ii adduser 3.112+nmu2 add and remove users and groups ii asterisk-config 1:1.6.2.9-2+squeeze4 Configuration files for Asterisk ii asterisk-sounds-ma 1:1.6.2.9-2+squeeze4 Core Sound files for Asterisk (Eng ii dahdi 1:2.2.1.1-1 utilities for using the DAHDI kern ii libasound2 1.0.23-2.1 shared library for ALSA applicatio ii libc-client2007e 8:2007e~dfsg-3.1 c-client library for mail protocol ii libc6 2.11.3-2 Embedded GNU C Library: Shared lib ii libcap2 1:2.19-3 support for getting/setting POSIX. ii libcurl3 7.21.0-2.1+squeeze2 Multi-protocol file transfer libra ii libgcc1 1:4.4.5-8 GCC support library ii libglib2.0-0 2.24.2-1 The GLib library of C routines ii libgmime-2.0-2a 2.2.25-2 MIME library ii libgsm1 1.0.13-3 Shared libraries for GSM speech co ii libiksemel3 1.2-4 C library for the Jabber IM platfo ii libjack0 [libjack- 1:0.118+svn3796-7 JACK Audio Connection Kit (librari ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries ii liblua5.1-0 5.1.4-5 Simple, extensible, embeddable pro ii libncurses5 5.7+20100313-5 shared libraries for terminal hand ii libnewt0.52 0.52.11-1 Not Erik''s Windowing Toolkit - tex ii libogg0 1.2.0~dfsg-1 Ogg bitstream library ii libopenais3 1.1.2-2 Standards-based cluster framework ii libopenr2-3 1.3.0-2 MFC/R2 (telephony) call setup libr ii libpopt0 1.16-1 lib for parsing cmdline parameters ii libpq5 8.4.11-0squeeze1 PostgreSQL C client library ii libpri1.4 1.4.11.3-1 Primary Rate ISDN specification li ii libradiusclient-ng 0.5.6-1.1 Enhanced RADIUS client library ii libresample1 0.1.3-3 real-time audio resampling library ii libsdl1.2debian 1.2.14-6.1 Simple DirectMedia Layer ii libsnmp15 5.4.3~dfsg-2 SNMP (Simple Network Management Pr ii libspandsp2 0.0.6~pre12-1 Telephony signal processing librar ii libspeex1 1.2~rc1-1 The Speex codec runtime library ii libspeexdsp1 1.2~rc1-1 The Speex extended runtime library ii libsqlite0 2.8.17-6 SQLite shared library ii libss7-1 1.0.2-1 Signalling System 7 (ss7) library ii libssl0.9.8 0.9.8o-4squeeze7 SSL shared libraries ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 ii libsybdb5 0.82-7 libraries for connecting to MS SQL ii libtiff4 3.9.4-5+squeeze3 Tag Image File Format (TIFF) libra ii libtonezone2.0 1:2.2.1.1-1 tonezone library (runtime) ii libvorbis0a 1.3.1-1+squeeze1 The Vorbis General Audio Compressi ii libvorbisenc2 1.3.1-1+squeeze1 The Vorbis General Audio Compressi ii libvpb0 4.2.52-2 Voicetronix telephony hardware use ii libx11-6 2:1.3.3-4 X11 client-side library ii libxml2 2.7.8.dfsg-2+squeeze3 GNOME XML library ii unixodbc 2.2.14p2-1 ODBC tools libraries ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages asterisk recommends: ii sox 14.3.1-1 Swiss army knife of sound processi Versions of packages asterisk suggests: pn asterisk-dev <none> (no description available) ii asterisk-doc 1:1.6.2.9-2+squeeze4 Source code documentation for Aste pn asterisk-h323 <none> (no description available) -- Configuration Files: /etc/default/asterisk changed [not included] -- no debconf information