Debian Bug report logs - #559103
CVE-2009-4055: RTP Remote Crash Vulnerability

version graph

Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>; Source for asterisk is src:asterisk.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 1 Dec 2009 22:18:02 UTC

Severity: grave

Tags: security

Fixed in versions asterisk/1:1.6.2.0~rc7-1, asterisk/1:1.4.21.2~dfsg-3+lenny1

Done: Faidon Liambotis <paravoid@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#559103; Package asterisk. (Tue, 01 Dec 2009 22:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Tue, 01 Dec 2009 22:18:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-4055: RTP Remote Crash Vulnerability
Date: Tue, 01 Dec 2009 23:13:30 +0100
Package: asterisk
Severity: grave
Tags: security

http://downloads.asterisk.org/pub/security/AST-2009-010.html

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.31-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages asterisk depends on:
ii  adduser                3.111             add and remove users and groups
pn  asterisk-config | aste <none>            (no description available)
pn  asterisk-sounds-main   <none>            (no description available)
ii  libasound2             1.0.21a-1         shared library for ALSA applicatio
pn  libc-client2007b       <none>            (no description available)
ii  libc6                  2.10.1-7          GNU C Library: Shared libraries
pn  libcap1                <none>            (no description available)
ii  libcurl3               7.19.7-1          Multi-protocol file transfer libra
ii  libgcc1                1:4.4.2-3         GCC support library
ii  libgsm1                1.0.13-3          Shared libraries for GSM speech co
pn  libiksemel3            <none>            (no description available)
ii  libncurses5            5.7+20090803-2    shared libraries for terminal hand
ii  libnewt0.52            0.52.10-4.1       Not Erik's Windowing Toolkit - tex
ii  libogg0                1.1.4~dfsg-1      Ogg bitstream library
ii  libpopt0               1.15-1            lib for parsing cmdline parameters
ii  libpq5                 8.4.1-1           PostgreSQL C client library
pn  libpri1.0              <none>            (no description available)
pn  libradiusclient-ng2    <none>            (no description available)
pn  libsnmp15              <none>            (no description available)
ii  libspeex1              1.2~rc1-1         The Speex codec runtime library
pn  libspeexdsp1           <none>            (no description available)
pn  libsqlite0             <none>            (no description available)
ii  libssl0.9.8            0.9.8k-6          SSL shared libraries
ii  libstdc++6             4.4.2-3           The GNU Standard C++ Library v3
pn  libtonezone1           <none>            (no description available)
ii  libvorbis0a            1.2.3-3           The Vorbis General Audio Compressi
ii  libvorbisenc2          1.2.3-3           The Vorbis General Audio Compressi
pn  libvpb0                <none>            (no description available)
pn  unixodbc               <none>            (no description available)
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

asterisk recommends no packages.

Versions of packages asterisk suggests:
pn  asterisk-dev                  <none>     (no description available)
pn  asterisk-doc                  <none>     (no description available)
pn  asterisk-h323                 <none>     (no description available)
pn  ekiga                         <none>     (no description available)
pn  kphone                        <none>     (no description available)
pn  ohphone                       <none>     (no description available)
pn  twinkle                       <none>     (no description available)




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#559103; Package asterisk. (Wed, 02 Dec 2009 10:25:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Wed, 02 Dec 2009 10:25:01 GMT) Full text and rfc822 format available.

Message #10 received at 559103@bugs.debian.org (full text, mbox):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
To: Moritz Muehlenhoff <jmm@debian.org>, 559103@bugs.debian.org
Subject: Re: Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability
Date: Wed, 2 Dec 2009 11:57:48 +0200
On Tue, Dec 01, 2009 at 11:13:30PM +0100, Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> 
> http://downloads.asterisk.org/pub/security/AST-2009-010.html

For the record, the patch itself is trivial and seems to be very simple
to backport.

https://issues.asterisk.org/view.php?id=16242
See links to specific commits from there.

The issue seems to affect both Etch, Lenny and Squeeze. For Sid/Squeeze,
upstream 1.6.0.2-rc7 should be released shortly (it has already been
tagged).

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir




Reply sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
You have taken responsibility. (Sun, 06 Dec 2009 18:54:11 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 06 Dec 2009 18:54:11 GMT) Full text and rfc822 format available.

Message #15 received at 559103-close@bugs.debian.org (full text, mbox):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
To: 559103-close@bugs.debian.org
Subject: Bug#559103: fixed in asterisk 1:1.6.2.0~rc7-1
Date: Sun, 06 Dec 2009 18:50:09 +0000
Source: asterisk
Source-Version: 1:1.6.2.0~rc7-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.6.2.0~rc7-1_all.deb
  to main/a/asterisk/asterisk-config_1.6.2.0~rc7-1_all.deb
asterisk-dbg_1.6.2.0~rc7-1_i386.deb
  to main/a/asterisk/asterisk-dbg_1.6.2.0~rc7-1_i386.deb
asterisk-dev_1.6.2.0~rc7-1_all.deb
  to main/a/asterisk/asterisk-dev_1.6.2.0~rc7-1_all.deb
asterisk-doc_1.6.2.0~rc7-1_all.deb
  to main/a/asterisk/asterisk-doc_1.6.2.0~rc7-1_all.deb
asterisk-h323_1.6.2.0~rc7-1_i386.deb
  to main/a/asterisk/asterisk-h323_1.6.2.0~rc7-1_i386.deb
asterisk-sounds-main_1.6.2.0~rc7-1_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.6.2.0~rc7-1_all.deb
asterisk_1.6.2.0~rc7-1.debian.tar.gz
  to main/a/asterisk/asterisk_1.6.2.0~rc7-1.debian.tar.gz
asterisk_1.6.2.0~rc7-1.dsc
  to main/a/asterisk/asterisk_1.6.2.0~rc7-1.dsc
asterisk_1.6.2.0~rc7-1_i386.deb
  to main/a/asterisk/asterisk_1.6.2.0~rc7-1_i386.deb
asterisk_1.6.2.0~rc7.orig.tar.gz
  to main/a/asterisk/asterisk_1.6.2.0~rc7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559103@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir.cohen@xorcom.com> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 02 Dec 2009 20:47:02 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.6.2.0~rc7-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h323 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 559103
Changes: 
 asterisk (1:1.6.2.0~rc7-1) unstable; urgency=high
 .
   * New upstream release candidate.
     - Fixes RTP comfort noise issues: CVE-2009-4055 (Closes: #559103).
Checksums-Sha1: 
 b46a07048b142ba09a4e95fba4a3f13a00222e9a 2120 asterisk_1.6.2.0~rc7-1.dsc
 827b99a42b9ec1efacc9eeee428530be7dec56fa 23088807 asterisk_1.6.2.0~rc7.orig.tar.gz
 b7187149046c974ea6b353d37e2712e48afa1721 57764 asterisk_1.6.2.0~rc7-1.debian.tar.gz
 1e7adfd298f5d44744782533408b9853f984e1a9 1586156 asterisk-doc_1.6.2.0~rc7-1_all.deb
 e27338cf0baf0b62a02b480222ff6a9a0a6336a1 571222 asterisk-dev_1.6.2.0~rc7-1_all.deb
 3a7b40af90978187397e54fdc3a4e3dad059cdea 17416324 asterisk-sounds-main_1.6.2.0~rc7-1_all.deb
 9be3cb63f7aa2ef81e795ab083c2bff45af80034 643060 asterisk-config_1.6.2.0~rc7-1_all.deb
 c1414662ac56549962bd8db64322ade22f1451d1 3380354 asterisk_1.6.2.0~rc7-1_i386.deb
 b7666a4932acc6793c6421d6b34b373d023efc56 466798 asterisk-h323_1.6.2.0~rc7-1_i386.deb
 2f8ffc734e0756e794840afdf437f016fab41565 21080796 asterisk-dbg_1.6.2.0~rc7-1_i386.deb
Checksums-Sha256: 
 125d1b49286c1e1b859f8012149d21ae5198bcc6db841b78b405c22b0fd0e06e 2120 asterisk_1.6.2.0~rc7-1.dsc
 979b658c20de5c4cedf4990303783f74073d3c961bb012718503a2ded7e71890 23088807 asterisk_1.6.2.0~rc7.orig.tar.gz
 b8a18cd86e6ed9ec50867fb1119ed956b6645ac6cbde73d90b2b82f79ebf3748 57764 asterisk_1.6.2.0~rc7-1.debian.tar.gz
 a2e5fd2e61b7cd81282de06e9643dfa27dbc91e15d59b778f83189ce45b052a7 1586156 asterisk-doc_1.6.2.0~rc7-1_all.deb
 24ae0d0b0fcdd5af077821b51ff6374856facb4de787cf79ba201d341e63bd1a 571222 asterisk-dev_1.6.2.0~rc7-1_all.deb
 9cb6a58e2175a08a9d8e780167a548c632b3844d8a7c3b704d8331206a0c3908 17416324 asterisk-sounds-main_1.6.2.0~rc7-1_all.deb
 1ebe23d13b057e58e2898c12ac8ff4621c8231707edaaf49f340f596ce306e90 643060 asterisk-config_1.6.2.0~rc7-1_all.deb
 c7da9e01fcc8ba87f197cbe2596df87defed41a6732da58e1ea3bbe0ac5f4949 3380354 asterisk_1.6.2.0~rc7-1_i386.deb
 cdb79fbd7b355072b613022e03f8382afbb810d6f92d3ce65baf582498c2c279 466798 asterisk-h323_1.6.2.0~rc7-1_i386.deb
 882ddf952a26522b7c848af8b698d22c32b300f05b9d6044441b1544184eecc2 21080796 asterisk-dbg_1.6.2.0~rc7-1_i386.deb
Files: 
 b54b68755905dfba9c38053320968c70 2120 comm optional asterisk_1.6.2.0~rc7-1.dsc
 67d90f1a7af5a3dcf5de9b342e7f21a9 23088807 comm optional asterisk_1.6.2.0~rc7.orig.tar.gz
 e4206688a8754077fa040bcfe9104fef 57764 comm optional asterisk_1.6.2.0~rc7-1.debian.tar.gz
 8b5c83110dfc1904dab11db82d7cbe6e 1586156 doc extra asterisk-doc_1.6.2.0~rc7-1_all.deb
 142bf95c5b38978c67db09935e169290 571222 devel extra asterisk-dev_1.6.2.0~rc7-1_all.deb
 6443d27cc3ceff6472a181399f926882 17416324 comm optional asterisk-sounds-main_1.6.2.0~rc7-1_all.deb
 ee4a648660ededa4141cbeaf9b1154de 643060 comm optional asterisk-config_1.6.2.0~rc7-1_all.deb
 1ee78320778fe9b017e9788a48647faf 3380354 comm optional asterisk_1.6.2.0~rc7-1_i386.deb
 b937d327e1213273d92fa7248dcf9927 466798 comm optional asterisk-h323_1.6.2.0~rc7-1_i386.deb
 eb4450d27c2fec5dfb08bdfe75aa6687 21080796 debug extra asterisk-dbg_1.6.2.0~rc7-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksb8IIACgkQVty5d8XpUzNq4gCeJdPqLU4NKgC7s8bMt6CsjBTB
10wAnjpFt9ICL8/WX0GJM+LfC7YcYKsA
=P+q8
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#559103; Package asterisk. (Sun, 06 Dec 2009 19:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 06 Dec 2009 19:09:06 GMT) Full text and rfc822 format available.

Message #20 received at 559103@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: 559103@bugs.debian.org, security@debian.org
Subject: Re: Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability
Date: Sun, 06 Dec 2009 20:48:33 +0200
Moritz, hi,

Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> 
> http://downloads.asterisk.org/pub/security/AST-2009-010.html
Thanks! Fix just uploaded to sid; urgency high but likely to be blocked
by the uw-imap transition.

Due to the severity of the vulnerability, it is my opinion that this
should be fixed in lenny via the security queue. The advisory should
also announce the EoL of asterisk in etch (also affected), as previously
agreed.

We have several fixes accumulated for an upcoming spu upload, including
but not limited to several CVEs that we have agreed before to not handle
them through the security queue due to their low severity.

For more information, you can have a look at the changelog[1] as
prepared in pkg-voip's SVN.

Would you like me to include some of these security fixes to the
security upload as well? Or should I just go and do an upload containing
only the fix for CVE-2009-4055 and handle the rest in spu as originally
intented?

Thanks,
Faidon

1:
http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/changelog




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#559103; Package asterisk. (Sun, 06 Dec 2009 21:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Sun, 06 Dec 2009 21:06:03 GMT) Full text and rfc822 format available.

Message #25 received at 559103@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Faidon Liambotis <paravoid@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 559103@bugs.debian.org, security@debian.org
Subject: Re: Bug#559103: CVE-2009-4055: RTP Remote Crash Vulnerability
Date: Sun, 6 Dec 2009 22:04:07 +0100
On Sun, Dec 06, 2009 at 08:48:33PM +0200, Faidon Liambotis wrote:
> Moritz, hi,
> 
> Moritz Muehlenhoff wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> > 
> > http://downloads.asterisk.org/pub/security/AST-2009-010.html
> Thanks! Fix just uploaded to sid; urgency high but likely to be blocked
> by the uw-imap transition.
> 
> Due to the severity of the vulnerability, it is my opinion that this
> should be fixed in lenny via the security queue. The advisory should
> also announce the EoL of asterisk in etch (also affected), as previously
> agreed.
> 
> We have several fixes accumulated for an upcoming spu upload, including
> but not limited to several CVEs that we have agreed before to not handle
> them through the security queue due to their low severity.
> 
> For more information, you can have a look at the changelog[1] as
> prepared in pkg-voip's SVN.
> 
> Would you like me to include some of these security fixes to the
> security upload as well? Or should I just go and do an upload containing
> only the fix for CVE-2009-4055 and handle the rest in spu as originally
> intented?

If we're issuing a DSA we should include the minor fixes originally targeted
for a spu update.

Unfortunately someone else will need to process this update, I'm currently
quite busy.

Cheers,
        Moritz




Reply sent to Faidon Liambotis <paravoid@debian.org>:
You have taken responsibility. (Wed, 16 Dec 2009 23:33:13 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 16 Dec 2009 23:33:13 GMT) Full text and rfc822 format available.

Message #30 received at 559103-close@bugs.debian.org (full text, mbox):

From: Faidon Liambotis <paravoid@debian.org>
To: 559103-close@bugs.debian.org
Subject: Bug#559103: fixed in asterisk 1:1.4.21.2~dfsg-3+lenny1
Date: Wed, 16 Dec 2009 23:32:30 +0000
Source: asterisk
Source-Version: 1:1.4.21.2~dfsg-3+lenny1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:

asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
  to main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
asterisk_1.4.21.2~dfsg-3+lenny1.dsc
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc
asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
  to main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559103@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Faidon Liambotis <paravoid@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Dec 2009 01:11:44 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all i386
Version: 1:1.4.21.2~dfsg-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Faidon Liambotis <paravoid@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h323 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 522528 554486 554487 559103
Changes: 
 asterisk (1:1.4.21.2~dfsg-3+lenny1) stable-security; urgency=high
 .
   * Multiple security fixes:
     - "Information leak in IAX2 authentication", AST-2009-001, CVE-2009-0041.
     - "Remote Crash Vulnerability in SIP channel driver", AST-2009-002.
     - "SIP responses expose valid usernames", AST-2009-003, CVE-2008-3903.
       (Closes: #522528)
     - "SIP responses expose valid usernames", AST-2009-008, CVE-2009-3727.
       (Closes: #554487)
     - Stop shipping old static-http code in examples. Among other things, it
       includes a vulnerable version of the prototype Javascript library.
       AST-2009-009, CVE-2008-7220. (Closes: #554486)
     - "RTP Remote Crash Vulnerability", AST-2009-010, CVE-2009-4055.
       (Closes: #559103)
Checksums-Sha1: 
 b39571677b5dee2efda9fc794b3d2ab5cebeb9ab 1984 asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 3b64d5aba93d38381d4e80b904f66741631aae89 5295205 asterisk_1.4.21.2~dfsg.orig.tar.gz
 880546ae3b24c47f6bb6de248599086626772b47 150880 asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 db42a0cbcb3bd6a5b44f0acebc91b809e15176c3 32514900 asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 9426e6a3e3dc12834c7e705fa8513b8d4fdae092 427650 asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 bb1cfceef93bdef38fc64aac7ea13dcb1130d7e6 1897736 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 14839ed0b3cb721459ddad32b87cfa4b3e11d558 478858 asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 a2121ba035dbbc96bb6b92ed3f3fd70f5ed235db 2407006 asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 db4f0873783fdea719309109b080facb75b5c1a1 388450 asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 a23c992cd677082e793f4b96d150792fb7436d85 12937820 asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Checksums-Sha256: 
 3c1c8a5e5054d30c2aad0546deac4907fb8c46cf82732f4598f0d34baa69aafc 1984 asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 18a2c244568f11b75afd0850cae65b394be888c778869fce61651e64a181603d 5295205 asterisk_1.4.21.2~dfsg.orig.tar.gz
 5dd0f5c19b6d458a1ef432818247c98b2ad4e2ceb4b3f4535b2b91243d1e4a6e 150880 asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 196f07874797f359adb03111311abe1893b1623d7808ab206da90d6847797a2e 32514900 asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 c060a368134b247aa1d27374b683ee3f273da951bee28659cbabab2f3c7d004a 427650 asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 3309cb55110e7b43a47a5cd7c7488731282ac128a2d40e937292e760232c6434 1897736 asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 34341baafa36917469e4d72429ea642418628bf2626cb9208baf17337186e788 478858 asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 187122e727887bdbb9cd62b3a1701a8de53b81e27cbb4a427d1437f9f154f167 2407006 asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 80619106ec8570c3a584bf81e8a1f5cb64e1c4af7a50e31ad6308b381821512e 388450 asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 4ee223894f928d207c29e62e3f15bb14a7b57da491ccfd2bdb61820efa62693f 12937820 asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Files: 
 69dcaf09361976f55a053512fb26d7b5 1984 comm optional asterisk_1.4.21.2~dfsg-3+lenny1.dsc
 f641d1140b964e71e38d27bf3b2a2d80 5295205 comm optional asterisk_1.4.21.2~dfsg.orig.tar.gz
 ba6e81cd6ab443ef04467d57a1d954b3 150880 comm optional asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
 8d959ce35cc61436ee1e09af475459d1 32514900 doc extra asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
 fb8a7dd925c8d209f3007e2a7d6602d8 427650 devel extra asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
 f0b7912d2ea0377bbb3c56cbc067d230 1897736 comm optional asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
 b483c77c21df4ae9cea8a4277f96966a 478858 comm optional asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
 2bbd456e2d36a734ac0789b6ff7e9d22 2407006 comm optional asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
 7c9e49cb8610a577d63f3fb77ecd92da 388450 comm optional asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
 46acd420961efc6c932d94eec0452ad3 12937820 devel extra asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksmj6cACgkQVty5d8XpUzMwHgCeKbMGyk0QDov48qlK09G5Fdzb
w2gAn2POsBO9cc4Dv+PrArwit8Is90D1
=M94m
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:27:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:18:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.