Hi Luciano, I applied DSA 2276-1 to my Lenny/i386 system, and asterisk suddenly wouldn't start anymore. Reboot did not help. This is a production Asterisk system where "nothing" is ever changed, other than the Asterisk config (which also hasn't changed for six months). I never had any issues with any updates since the system went live just after Lenny became stable.
I examined /var/log/messages, and nothing shows on asterisk that didn't show before. Asterisk seems to start, but it doesn't show in the process list afterward. Could this be a regression? As this is a production system, I did not examine the problem for more than 5 minutes (two reboots, a couple attempts at /etc/init.d/asterisk restart, looking at /var/log/messages), and then rolled back the last full disk backup. If you want me to do any tests this will be difficult during the work week (this is a critical production system), but I probably can shedule them over the next weekend. Thanks, - Jan Joris - On Sun, Jul 10, 2011 at 17:17, Luciano Bello <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-2276-1 [email protected] > http://www.debian.org/security/ Luciano Bello > July 10, 2011 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : asterisk > Vulnerability : multiple denial of service > Problem type : remote > Debian-specific: no > CVE ID : CVE-2011-2529 CVE-2011-2535 > Debian Bug : 631445 631446 631448 > > Paul Belanger reported a vulnerability in Asterisk identified as > AST-2011-008 > (CVE-2011-2529) through which an unauthenticated attacker may crash an > Asterisk > server remotely. A package containing a null char causes the SIP header > parser > to alter unrelated memory structures. > > Jared Mauch reported a vulnerability in Asterisk identified as AST-2011-009 > through which an unauthenticated attacker may crash an Asterisk server > remotely. > If a user sends a package with a Contact header with a missing left angle > bracket (<) the server will crash. A possible workaround is to disable > chan_sip. > > The vulnerability identified as AST-2011-010 (CVE-2011-2535) reported about > an > input validation error in the IAX2 channel driver. An unauthenticated > attacker > may crash an Asterisk server remotely by sending a crafted option control > frame. > > > For the oldstable distribution (lenny), this problem has been fixed in > version 1.4.21.2~dfsg-3+lenny3. > > For the stable distribution (squeeze), this problem has been fixed in > version 1.6.2.9-2+squeeze3. > > For the testing distribution (wheezy), this problem has been fixed in > version 1:1.8.4.3-1. > > For the unstable distribution (sid), this problem has been fixed in > version 1:1.8.4.3-1. > > We recommend that you upgrade your asterisk packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: [email protected] > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iEYEARECAAYFAk4Zwm8ACgkQHYflSXNkfP+G9QCgmlIDAuhXZSFFYspmaJkvt8uS > gwkAnRduatGpgQo19s7RuEOspPIgOtlE > =RXeA > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: http://lists.debian.org/[email protected] > > -- Jan Joris Vereijken / [email protected] / +31 6 2128 0372
