Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1952-1] New asterisk packages fix several vulnerabiliti

From Steffen Joeris@1:229/2 to All on Tue Dec 15 14:20:02 2009

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1952-1 [email protected] http://www.debian.org/security/ Steffen Joeris
December 15, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : asterisk
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0041 CVE-2008-3903 CVE-2009-3727 CVE-2008-7220 CVE-2009-4055 CVE-2007-2383
Debian Bug : 513413 522528 554487 554486 559103

Several vulnerabilities have been discovered in asterisk, an Open Source
PBX and telephony toolkit. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-0041

It is possible to determine valid login names via probing, due to the
IAX2 response from asterisk (AST-2009-001).

CVE-2008-3903

It is possible to determine a valid SIP username, when Digest
authentication and authalwaysreject are enabled (AST-2009-003).

CVE-2009-3727

It is possible to determine a valid SIP username via multiple crafted
REGISTER messages (AST-2009-008).

CVE-2008-7220 CVE-2007-2383

It was discovered that asterisk contains an obsolete copy of the
Prototype JavaScript framework, which is vulnerable to several security
issues. This copy is unused and now removed from asterisk
(AST-2009-009).

CVE-2009-4055

It was discovered that it is possible to perform a denial of service
attack via RTP comfort noise payload with a long data length
(AST-2009-010).

For the stable distribution (lenny), these problems have been fixed in
version 1:1.4.21.2~dfsg-3+lenny1.

The security support for asterisk in the oldstable distribution (etch)
has been discontinued before the end of the regular Etch security
maintenance life cycle. You are strongly encouraged to upgrade to
stable.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1:1.6.2.0~rc7-1.

We recommend that you upgrade your asterisk packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg.orig.tar.gz
Size/MD5 checksum: 5295205 f641d1140b964e71e38d27bf3b2a2d80
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc
Size/MD5 checksum: 1984 69dcaf09361976f55a053512fb26d7b5
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
Size/MD5 checksum: 150880 ba6e81cd6ab443ef04467d57a1d954b3

Architecture independent packages:

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 1897736 f0b7912d2ea0377bbb3c56cbc067d230
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 478858 b483c77c21df4ae9cea8a4277f96966a
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 32514900 8d959ce35cc61436ee1e09af475459d1
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 427650 fb8a7dd925c8d209f3007e2a7d6602d8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 13039044 3fdf468968472853a921817681130898
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 393068 f6360d4fee30fd4e915ce6f381dd5e81
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 2761948 017041bb2c755b0e404351134d40808a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 397512 6f2936b9f76618b89c7994d094c372cf
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 13086704 ed835ac48b8b0fd614ebc960007b508b
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 2605278 dc7e3fe7307e402d8d59504c89434a84

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 12770542 6b450a1fcae626174db68a0ec9c831be
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 401766 fee883c4784ad9075da742d83f4baaa3
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 2510430 cd143e5ccf034d4eba145b2deabe87bd

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 394588 d3e10caf1c6d790306701d9f34ac4fa4
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 2540364 bb48863ea50a58f2358768c431fa1ca0
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 12840170 d02ebc2ddb92f53bcbd089bc4d41bd10

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_hppa.deb
Size/MD5 checksum: 12871212 af107f8cc96f9b0b7030ec28a1967f13

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	158:56:50
Calls:	12,094
Calls today:	2
Files:	15,000
Messages:	6,517,759

[SECURITY] [DSA 1952-1] New asterisk packages fix several vulnerabiliti

Who's Online

Recent Visitors

System Info