Anyone using my 1.4 port who uses chan_skinny (not on by default), please update to 1.4.10, http://spacehopper.org/openbsd/asterisk.tar.gz is updated.
The in-tree 1.2 is not affected by this. > +------------------------------------------------------------------------+ > | Description | The Asterisk Skinny channel driver, chan_skinny, has a | > | | remotely exploitable crash vulnerability. A segfault can | > | | occur when Asterisk receives a | > | | "CAPABILITIES_RES_MESSAGE" packet where the capabilities | > | | count is greater than the total number of items in the | > | | capabilities_res_message array. Note that this requires | > | | an authenticated session. | > +------------------------------------------------------------------------+ > > +------------------------------------------------------------------------+ > | Resolution | Asterisk code has been modified to limit the incoming | > | | capabilities count. | > | | | > | | Users with configured Skinny devices should upgrade to | > | | the appropriate version listed in the corrected in | > | | section of this advisory. | > +------------------------------------------------------------------------+
