-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 21 Aug 2007 06:21:00 +0300 Source: asterisk Binary: asterisk-h323 asterisk-web-vmail asterisk asterisk-classic asterisk-dev asterisk-doc asterisk-sounds-main asterisk-bristuff asterisk-config Architecture: source all i386 Version: 1:1.2.13~dfsg-2etch1 Distribution: stable-security Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> Changed-By: Faidon Liambotis <paravoid@debian.org> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-bristuff - Open Source Private Branch Exchange (PBX) - BRIstuff-enabled vers asterisk-classic - Open Source Private Branch Exchange (PBX) - original Digium versi asterisk-config - config files for asterisk asterisk-dev - development files for asterisk asterisk-doc - documentation for asterisk asterisk-h323 - asterisk H.323 VoIP channel asterisk-sounds-main - sound files for asterisk asterisk-web-vmail - Web-based (CGI) voice mail interface for Asterisk Changes: asterisk (1:1.2.13~dfsg-2etch1) stable-security; urgency=high . * Add myself to Uploaders to mark this as a maintainer upload. * Multiple upstream security fixes: - channels/chan_sip.c: If a SIP message comes in and goes to a method handler that requires additional values that may not be present then send back an error. (CVE-2007-1306) - channels/chan_sip.c: fix bug that allows remote attackers to cause a denial of service (crash) via a SIP INVITE message with an SDP containing one valid and one invalid IP address. (CVE-2007-1561) - channels/chan_sip.c: Only try to handle a response if it has a response code. (ASA-2007-011, CVE-2007-1594, CVE-2007-2297) - manager.c: Don't crash if a manager connection provides a username that exists in manager.conf but does not have a password, and also requests MD5 authentication. (ASA-2007-012, CVE-2007-2294) - channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c: Ensure that when encoding the contents of an ast_frame into an iax_frame, that the size of the destination buffer is known in the iax_frame so that code won't write past the end of the allocated buffer when sending outgoing frames. (ASA-2007-014, CVE-2007-3762) - channels/chan_iax2.c: if a text frame is sent with no terminating NULL through a bridged IAX connection, the remote end will receive garbage characters tacked onto the end. (CVE-2007-2488) - channels/chan_iax2.c: After parsing information elements in IAX frames, set the data length to zero, so that code later on does not think it has data to copy. (ASA-2007-015, CVE-2007-3763) - channels/chan_skinny.c: Properly check for the length in the skinny packet to prevent an invalid memcpy. (ASA-2007-016, CVE-2007-3764) * i386 binary packages in etch were unfortunately compiled in an unclean chroot with libsqlite3-dev present and provide a feature based on that. Added a build dependency on that package to avoid regressions on a security upload. Files: 97a08cc08f7a14f50af5583f6cfaae89 1488 comm optional asterisk_1.2.13~dfsg-2etch1.dsc f8ee088b2e4feffe2b35d78079f90b69 3835589 comm optional asterisk_1.2.13~dfsg.orig.tar.gz b99340fd02758c851c28ae1e3c955d42 178578 comm optional asterisk_1.2.13~dfsg-2etch1.diff.gz d90b1991d6afd624e9f31668ef018587 146440 comm optional asterisk_1.2.13~dfsg-2etch1_all.deb 23be47715b380082a03a35d8805a6211 1499930 doc optional asterisk-doc_1.2.13~dfsg-2etch1_all.deb 3f0386aaaad741f88b25ec997e7af8dd 169902 devel optional asterisk-dev_1.2.13~dfsg-2etch1_all.deb e4ad12dc4a65fd9eaf8a58efc4def422 1504542 comm optional asterisk-sounds-main_1.2.13~dfsg-2etch1_all.deb 6feb2b37089d8f828130cc21c8e79625 73698 comm optional asterisk-web-vmail_1.2.13~dfsg-2etch1_all.deb 53dd0cd1001f4e78b2b2016773d60e5c 131626 comm optional asterisk-config_1.2.13~dfsg-2etch1_all.deb f70eb637297095022cdbd859bddd8376 1615580 comm optional asterisk-classic_1.2.13~dfsg-2etch1_i386.deb a4e6285b3a8859f93a52121468429ad3 1648860 comm optional asterisk-bristuff_1.2.13~dfsg-2etch1_i386.deb 76b1d7e76d2baae5857aa56a09e87652 130820 comm optional asterisk-h323_1.2.13~dfsg-2etch1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGzJtiVty5d8XpUzMRAjjBAJ4heaOn9mjl724QqRLM67hMaNVJWgCfRnoP Kr4+2zefsERuzV2ZJdniOtI= =eCWV -----END PGP SIGNATURE----- Accepted: asterisk-bristuff_1.2.13~dfsg-2etch1_i386.deb to pool/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch1_i386.deb asterisk-classic_1.2.13~dfsg-2etch1_i386.deb to pool/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch1_i386.deb asterisk-config_1.2.13~dfsg-2etch1_all.deb to pool/main/a/asterisk/asterisk-config_1.2.13~dfsg-2etch1_all.deb asterisk-dev_1.2.13~dfsg-2etch1_all.deb to pool/main/a/asterisk/asterisk-dev_1.2.13~dfsg-2etch1_all.deb asterisk-doc_1.2.13~dfsg-2etch1_all.deb to pool/main/a/asterisk/asterisk-doc_1.2.13~dfsg-2etch1_all.deb asterisk-h323_1.2.13~dfsg-2etch1_i386.deb to pool/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch1_i386.deb asterisk-sounds-main_1.2.13~dfsg-2etch1_all.deb to pool/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-2etch1_all.deb asterisk-web-vmail_1.2.13~dfsg-2etch1_all.deb to pool/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-2etch1_all.deb asterisk_1.2.13~dfsg-2etch1.diff.gz to pool/main/a/asterisk/asterisk_1.2.13~dfsg-2etch1.diff.gz asterisk_1.2.13~dfsg-2etch1.dsc to pool/main/a/asterisk/asterisk_1.2.13~dfsg-2etch1.dsc asterisk_1.2.13~dfsg-2etch1_all.deb to pool/main/a/asterisk/asterisk_1.2.13~dfsg-2etch1_all.deb