Several remote vulnerabilities have been discovered in Asterisk, a free
software PBX and telephony toolkit. The Common Vulnerabilities and
Exposures project identifies the following problems:
- CVE-2007-1306
Mu Security discovered that a NULL pointer dereference in the SIP
implementation could lead to denial of service.
- CVE-2007-1561
Inria Lorraine discovered that a programming error in the SIP
implementation could lead to denial of service.
- CVE-2007-2294
It was discovered that a NULL pointer dereference in the manager
interface could lead to denial of service.
- CVE-2007-2297
It was discovered that a programming error in the SIP implementation
could lead to denial of service.
- CVE-2007-2488
Tim Panton and Birgit Arkestein discovered that a programming error
in the IAX2 implementation could lead to information disclosure.
- CVE-2007-3762
Russell Bryant discovered that a buffer overflow in the IAX
implementation could lead to the execution of arbitrary code.
- CVE-2007-3763
Chris Clark and Zane Lackey discovered that several NULL pointer
dereferences in the IAX2 implementation could lead to denial of
service.
- CVE-2007-3764
Will Drewry discovered that a programming error in the Skinny
implementation could lead to denial of service.
For the oldstable distribution (sarge) these problems have been fixed in
version 1.0.7.dfsg.1-2sarge5.
For the stable distribution (etch) these problems have been fixed
in version 1:1.2.13~dfsg-2etch1.
For the unstable distribution (sid) these problems have been fixed in
version 1:1.4.11~dfsg-1.
We recommend that you upgrade your Asterisk packages.