Good morning, I have a simple question, Is this problem would affect also an Asterisk 1.4.38 if "Pedantic SIP support: No" in the Global Signalling Settings For what I understood, no.. Or is it a simple way to postpone upgrade until next planned upgrade.
Best Regards Le mardi 18 janvier 2011 17:35:31, Asterisk Security Team a écrit : > Asterisk Project Security Advisory - AST-2011-001 > > Product Asterisk > Summary Stack buffer overflow in SIP channel driver > Nature of Advisory Exploitable Stack Buffer Overflow > Susceptibility Remote Authenticated Sessions > Severity Moderate > Exploits Known No > Reported On January 11, 2011 > Reported By Matthew Nicholson > Posted On January 18, 2011 > Last Updated On January 18, 2011 > Advisory Contact Matthew Nicholson <mnichol...@digium.com> > CVE Name > > Description When forming an outgoing SIP request while in pedantic mode, a > stack buffer can be made to overflow if supplied with > carefully crafted caller ID information. This vulnerability > also affects the URIENCODE dialplan function and in some > versions of asterisk, the AGI dialplan application as well. > The ast_uri_encode function does not properly respect the size > of its output buffer and can write past the end of it when > encoding URIs. > > Resolution The size of the output buffer passed to the ast_uri_encode > function is now properly respected. > > In asterisk versions not containing the fix for this issue, > limiting strings originating from remote sources that will be > URI encoded to a length of 40 characters will protect against > this vulnerability. > > exten => s,1,Set(CALLERID(num)=${CALLERID(num):0:40}) > exten => s,n,Set(CALLERID(name)=${CALLERID(name):0:40}) > exten => s,n,Dial(SIP/channel) > > The CALLERID(num) and CALLERID(name) channel values, and any > strings passed to the URIENCODE dialplan function should be > limited in this manner. > > Affected Versions > Product Release Series > Asterisk Open Source 1.2.x All versions > Asterisk Open Source 1.4.x All versions > Asterisk Open Source 1.6.x All versions > Asterisk Open Source 1.8.x All versions > Asterisk Business Edition C.x.x All versions > AsteriskNOW 1.5 All versions > s800i (Asterisk Appliance) 1.2.x All versions > > Corrected In > Product Release > Asterisk Open Source 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, > 1.6.2.16.1, 1.8.1.2, 1.8.2.1 > Asterisk Business Edition C.3.6.2 > > Patches > URL Branch > http://downloads.asterisk.org/pub/security/AST-2011-001-1.4.diff 1.4 > http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.1.diff 1.6.1 > http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff 1.6.2 > http://downloads.asterisk.org/pub/security/AST-2011-001-1.8.diff 1.8 > > Asterisk Project Security Advisories are posted at > http://www.asterisk.org/security > > This document may be superseded by later versions; if so, the latest > version will be posted at > http://downloads.digium.com/pub/security/AST-2011-001.pdf and > http://downloads.digium.com/pub/security/AST-2011-001.html > > Revision History > Date Editor Revisions Made > 2011-01-18 Matthew Nicholson Initial Release > > Asterisk Project Security Advisory - AST-2011-001 > Copyright (c) 2011 Digium, Inc. All Rights Reserved. > Permission is hereby granted to distribute and publish this advisory in its > original, unaltered form. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users