[SECURITY] [DLA 781-1] asterisk security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : asterisk
Version : 1:1.8.13.1~dfsg1-3+deb7u5
CVE ID : CVE-2014-2287 CVE-2016-7551
Debian Bug : 838832 741313
Two security vulnerabilities were discovered in Asterisk, an Open
Source PBX and telephony toolkit.
CVE-2014-2287
channels/chan_sip.c in Asterisk when chan_sip has a certain
configuration, allows remote authenticated users to cause a denial
of service (channel and file descriptor consumption) via an INVITE
request with a (1) Session-Expires or (2) Min-SE header with a
malformed or invalid value.
CVE-2016-7551
The overlap dialing feature in chan_sip allows chan_sip to report
to a device that the number that has been dialed is incomplete and
more digits are required. If this functionality is used with a
device that has performed username/password authentication RTP
resources are leaked. This occurs because the code fails to release
the old RTP resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will occur and
no RTP sessions are able to be set up.
For Debian 7 "Wheezy", these problems have been fixed in version
1:1.8.13.1~dfsg1-3+deb7u5.
We recommend that you upgrade your asterisk packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlh4IBFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRHVQ/+OFc2qZg5TjqR4NQNBf2YJOduUI/uVkfOA/Whx73kXLAqoys6tOqhZD5U
uM/BDuAG3DEWbJDMmmR/u6OR/v2HAWPENOAKtsItDcDCSrPpSrvn7/qQ/yN6D211
30dqx9PqjFUfbkkcyAmK+NP0KLTpjUgBnTDgA9PaDEEf2/56c8QMKwM5viAuk5nN
nP+AvLDedOrctnF4T2WYl+E7deE87Ua/3H90EEdAgfXK6tpExMZJ03RHSLPveYpy
ibjvx6fxdky/L7ofII1haqvdLWh0KHuCDmycc7G2PjnGpNDPO7iLYUZP3A7VAI10
VStKTuLBsea89o2SLvh/C0/g2RrJo1uRV/okh1TYXXNdk3MpCXCKUFTmO/gqF+TW
px4GUXxbneoT/ippVLzcubI7qjqnjV9/tKiZXD1ol9ltNcttQtlD1e99a5qMCQ//
D3MMhl9InQVn3cQQrHahJVWa+qIQ9w+xXBWXFy936Ew/xnxQY6lxpz6TqSbNV87c
liub+EX7CvJLJPNVwFL9mqst6WoaWIaENyOJLTV+IYj7BlSFPVWIV8WktI2Ilmmc
jM1oRlq11tWpBU7p7hI45mANMFBRBrtY+O7gvBQR9WuBM1EMJ081sRrzNoOcW8oH
jzesn1lp+W5xRQEg6UTULPmT3APzF1hZAS7eFIGn7vTEst5YJHI=
=GMM1
-----END PGP SIGNATURE-----
Reply to: