From 2814daf1707f41ab15f3289e9f88e2e24b4d0abb Mon Sep 17 00:00:00 2001 From: Guido Falsi Date: Thu, 18 Sep 2014 19:53:09 +0000 Subject: [PATCH] Document new asterisk11 vulnerability. MFH: 2014Q3 --- security/vuxml/vuln.xml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 832552af817f..0ea348048511 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -57,6 +57,44 @@ Notes: --> + + asterisk -- Remotely triggered crash + + + asterisk11 + 11.12.1 + + + + +

The Asterisk project reports:

+
+

When an out of call message - delivered by either the + SIP or PJSIP channel driver or the XMPP stack - is handled + in Asterisk, a crash can occur if the channel servicing + the message is sent into the ReceiveFax dialplan application + while using the res_fax_spandsp module.

+

Note that this crash does not occur when using the + res_fax_digium module. While this crash technically + occurs due to a configuration issue, as attempting to + receive a fax from a channel driver that only contains + textual information will never succeed, the likelihood + of having it occur is sufficiently high as to warrant + this advisory.

+
+ +
+ + http://downloads.asterisk.org/pub/security/AST-2014-010.pdf + https://issues.asterisk.org/jira/browse/ASTERISK-24301 + https://www.asterisk.org/security + + + 2014-09-05 + 2014-09-18 + +
+ squid -- Buffer overflow in SNMP processing