[Asterisk-Users] Security Vulnerability in Asterisk
James Golovich
james at wwnet.net
Mon Jun 28 13:07:44 MST 2004
This was fixed in cvs HEAD and stable on 4/13/2004 and a new source
release was made at the time (version 0.9.0)
I'm not sure why it would be brought up on a recent newsletter, it was
discussed in here (or maybe on -dev) sometime around 4/15/2004
James
On Mon, 28 Jun 2004, Jim Rosenberg wrote:
> The following is pasted from SecurityFocus Newsletter #254:
>
> -------------------------
> Asterisk PBX Multiple Logging Format String Vulnerabilities
> BugTraq ID: 10569
> Remote: Yes
> Date Published: Jun 18 2004
> Relevant URL: http://www.securityfocus.com/bid/10569
> Summary:
> It is reported that Asterisk is susceptible to format string
> vulnerabilities in its logging functions.
>
> An attacker may use these vulnerabilities to corrupt memory, and read or
> write arbitrary memory. Remote code execution is likely possible.
>
> Due to the nature of these vulnerabilities, there may exist many different
> avenues of attack. Anything that can potentially call the logging functions
> with user-supplied data is vulnerable.
>
> Versions 0.7.0 through to 0.7.2 are reported vulnerable.
> -------------------------
>
> What is the status of CVS-current with respect to this?
>
> I don't remember seeing any discussion of this issue here; apologies if I
> missed it.
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list