[asterisk-users] AST-2012-001: SRTP Video Remote Crash Vulnerability

Vladimir Mikhelson vlad at mikhelson.com
Thu Jan 19 20:22:12 CST 2012


It's funny.  The link

 Links   | https://issues.asterisk.org/jira/browse/ASTERISK-19202 

Produces:



    Permission Violation

It seems that you have tried to perform an operation which you are not
permitted to perform.

If you think this message is wrong, please consult your administrators
about getting the necessary permissions.

Bug tracking <http://www.atlassian.com/software/jira/bug-tracking.jsp>
and project tracking
<http://www.atlassian.com/software/jira/tour/project-tracking.jsp> for
software development
<http://www.atlassian.com/software/jira/tour/software-development.jsp>
powered by Atlassian JIRA <http://www.atlassian.com/software/jira>
(v4.2.4-b591#591) | Report a problem
<http://support.atlassian.com/secure/CreateIssue.jspa?issuetype=1&pid=10000>



On 1/19/2012 5:40 PM, Asterisk Security Team wrote:
>                Asterisk Project Security Advisory - AST-2012-001
>
>    +------------------------------------------------------------------------+
>    |       Product        | Asterisk                                        |
>    |----------------------+-------------------------------------------------|
>    |       Summary        | SRTP Video Remote Crash Vulnerability           |
>    |----------------------+-------------------------------------------------|
>    |  Nature of Advisory  | Denial of Service                               |
>    |----------------------+-------------------------------------------------|
>    |    Susceptibility    | Remote unauthenticated sessions                 |
>    |----------------------+-------------------------------------------------|
>    |       Severity       | Moderate                                        |
>    |----------------------+-------------------------------------------------|
>    |    Exploits Known    | No                                              |
>    |----------------------+-------------------------------------------------|
>    |     Reported On      | 2012-01-15                                      |
>    |----------------------+-------------------------------------------------|
>    |     Reported By      | Catalin Sanda                                   |
>    |----------------------+-------------------------------------------------|
>    |      Posted On       | 2012-01-19                                      |
>    |----------------------+-------------------------------------------------|
>    |   Last Updated On    | January 19, 2012                                |
>    |----------------------+-------------------------------------------------|
>    |   Advisory Contact   | Joshua Colp < jcolp AT digium DOT com >         |
>    |----------------------+-------------------------------------------------|
>    |       CVE Name       |                                                 |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    | Description | An attacker attempting to negotiate a secure video       |
>    |             | stream can crash Asterisk if video support has not been  |
>    |             | enabled and the res_srtp Asterisk module is loaded.      |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    | Resolution | Upgrade to one of the versions of Asterisk listed in the  |
>    |            | "Corrected In" section, or apply a patch specified in the |
>    |            | "Patches" section.                                        |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    |                           Affected Versions                            |
>    |------------------------------------------------------------------------|
>    |            Product            | Release Series |                       |
>    |-------------------------------+----------------+-----------------------|
>    |     Asterisk Open Source      |     1.8.x      | All versions          |
>    |-------------------------------+----------------+-----------------------|
>    |     Asterisk Open Source      |      10.x      | All versions          |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    |                              Corrected In                              |
>    |------------------------------------------------------------------------|
>    |                 Product                  |           Release           |
>    |------------------------------------------+-----------------------------|
>    |           Asterisk Open Source           |           1.8.8.2           |
>    |------------------------------------------+-----------------------------|
>    |           Asterisk Open Source           |           10.0.1            |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    |                                Patches                                 |
>    |------------------------------------------------------------------------|
>    |                             SVN URL                             |Branch|
>    |-----------------------------------------------------------------+------|
>    |http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff |v1.8  |
>    |-----------------------------------------------------------------+------|
>    |http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff  |v10   |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    |   Links   | https://issues.asterisk.org/jira/browse/ASTERISK-19202     |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    | Asterisk Project Security Advisories are posted at                     |
>    | http://www.asterisk.org/security                                       |
>    |                                                                        |
>    | This document may be superseded by later versions; if so, the latest   |
>    | version will be posted at                                              |
>    | http://downloads.digium.com/pub/security/AST-2012-001.pdf and          |
>    | http://downloads.digium.com/pub/security/AST-2012-001.html             |
>    +------------------------------------------------------------------------+
>
>    +------------------------------------------------------------------------+
>    |                            Revision History                            |
>    |------------------------------------------------------------------------|
>    |      Date       |       Editor       |         Revisions Made          |
>    |-----------------+--------------------+---------------------------------|
>    | 12-01-19        | Joshua Colp        | Initial release                 |
>    +------------------------------------------------------------------------+
>
>                Asterisk Project Security Advisory - AST-2012-001
>               Copyright (c) 2012 Digium, Inc. All Rights Reserved.
>   Permission is hereby granted to distribute and publish this advisory in its
>                            original, unaltered form.
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120119/f2be5859/attachment-0001.htm>


More information about the asterisk-users mailing list