[Asterisk-Users] Security Vulnerability in Asterisk

James Golovich james at wwnet.net
Mon Jun 28 13:07:44 MST 2004


This was fixed in cvs HEAD and stable on 4/13/2004 and a new source
release was made at the time (version 0.9.0)

I'm not sure why it would be brought up on a recent newsletter, it was
discussed in here (or maybe on -dev) sometime around 4/15/2004

James

On Mon, 28 Jun 2004, Jim Rosenberg wrote:

> The following is pasted from SecurityFocus Newsletter #254:
> 
> -------------------------
> Asterisk PBX Multiple Logging Format String Vulnerabilities
> BugTraq ID: 10569
> Remote: Yes
> Date Published: Jun 18 2004
> Relevant URL: http://www.securityfocus.com/bid/10569
> Summary:
> It is reported that Asterisk is susceptible to format string
> vulnerabilities in its logging functions.
> 
> An attacker may use these vulnerabilities to corrupt memory, and read or
> write arbitrary memory. Remote code execution is likely possible.
> 
> Due to the nature of these vulnerabilities, there may exist many different
> avenues of attack. Anything that can potentially call the logging functions
> with user-supplied data is vulnerable.
> 
> Versions 0.7.0 through to 0.7.2 are reported vulnerable.
> -------------------------
> 
> What is the status of CVS-current with respect to this?
> 
> I don't remember seeing any discussion of this issue here; apologies if I
> missed it.
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 




More information about the asterisk-users mailing list