Debian Asterisk vulnerabilities

CVE-2007-3765 [MEDIUM] CVE-2007-3765: asterisk - The STUN implementation in Asterisk 1.4.x before 1.4.8, AsteriskNOW before beta7... The STUN implementation in Asterisk 1.4.x before 1.4.8, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to cause a denial of service (crash) via a crafted STUN length attribute in a STUN packet sent on an RTP port. Scope: local bullseye: resolved (fixed in 1:1.4.8~dfsg-1) sid: resolved (fixed in 1:1.4.8

CVE-2007-1561 [HIGH] CVE-2007-1561: asterisk - The channel driver in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remot... The channel driver in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP INVITE message with an SDP containing one valid and one invalid IP address. Scope: local bullseye: resolved (fixed in 1:1.4.2~dfsg-5) sid: resolved (fixed in 1:1.4.2~dfsg-5)

CVE-2007-2297 [HIGH] CVE-2007-2297: asterisk - The SIP channel driver (chan_sip) in Asterisk before 1.2.18 and 1.4.x before 1.4... The SIP channel driver (chan_sip) in Asterisk before 1.2.18 and 1.4.x before 1.4.3 does not properly parse SIP UDP packets that do not contain a valid response code, which allows remote attackers to cause a denial of service (crash). Scope: local bullseye: resolved (fixed in 1:1.4.2~dfsg-1) sid: resolved (fixed in 1:1.4.2~dfsg-1)

CVE-2007-6170 [MEDIUM] CVE-2007-6170: asterisk - SQL injection vulnerability in the Call Detail Record Postgres logging engine (c... SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments. Scope: local bullseye: resolved (fixed in 1:1.4.15~dfsg-1) sid: resolved

CVE-2007-4455 [MEDIUM] CVE-2007-4455: asterisk - The SIP channel driver (chan_sip) in Asterisk Open Source 1.4.x before 1.4.11, A... The SIP channel driver (chan_sip) in Asterisk Open Source 1.4.x before 1.4.11, AsteriskNOW before beta7, Asterisk Appliance Developer Kit 0.x before 0.8.0, and s800i (Asterisk Appliance) 1.x before 1.0.3 allows remote attackers to cause a denial of service (memory exhaustion) via a SIP dialog that causes a large number of history entries to be created. Scope: local

CVE-2007-3764 [MEDIUM] CVE-2007-3764: asterisk - The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and 1.4.x befo... The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and 1.4.x before 1.4.8, Business Edition before B.2.2.1, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to cause a denial of service (crash) via a certain data length value in a crafted packet, which results in an "overly large memcpy."

CVE-2007-1306 [HIGH] CVE-2007-1306: asterisk - Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attackers to cause... Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attackers to cause a denial of service (crash) by sending a Session Initiation Protocol (SIP) packet without a URI and SIP-version header, which results in a NULL pointer dereference. Scope: local bullseye: resolved (fixed in 1:1.2.16~dfsg-1) sid: resolved (fixed in 1:1.2.16~dfsg-1)

CVE-2007-2488 [CRITICAL] CVE-2007-2488: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk before 20070504 does not properl... The IAX2 channel driver (chan_iax2) in Asterisk before 20070504 does not properly null terminate data, which allows remote attackers to trigger loss of transmitted data, and possibly obtain sensitive information (memory contents) or cause a denial of service (application crash), by sending a frame that lacks a 0 byte. Scope: local bullseye: resolved (fixed in 1:1

CVE-2007-4280 [LOW] CVE-2007-4280: asterisk - The Skinny channel driver (chan_skinny) in Asterisk Open Source before 1.4.10, A... The Skinny channel driver (chan_skinny) in Asterisk Open Source before 1.4.10, AsteriskNOW before beta7, Appliance Developer Kit before 0.7.0, and Appliance s800i before 1.0.3 allows remote authenticated users to cause a denial of service (application crash) via a CAPABILITIES_RES_MESSAGE packet with a capabilities count larger than the capabilities_res_message array

CVE-2007-1595 [HIGH] CVE-2007-1595: asterisk - The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk does not prop... The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk does not properly generate extensions, which allows remote attackers to execute arbitrary extensions and have an unknown impact by specifying an invalid extension in a certain form. Scope: local bullseye: resolved (fixed in 1:1.4.0~dfsg-1) sid: resolved (fixed in 1:1.4.0~dfsg-1)

CVE-2007-2383 [MEDIUM] CVE-2007-2383: asterisk - The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using Java... The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijack

CVE-2007-6430 [MEDIUM] CVE-2007-6430: asterisk - Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business E... Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business Edition B.x.x before B.2.3.6 and C.x.x before C.1.0-beta8, when using database-based registrations ("realtime") and host-based authentication, does not check the IP address when the username is correct and there is no password, which allows remote attackers to bypass authentication using

CVE-2007-2294 [HIGH] CVE-2007-2294: asterisk - The Manager Interface in Asterisk before 1.2.18 and 1.4.x before 1.4.3 allows re... The Manager Interface in Asterisk before 1.2.18 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (crash) by using MD5 authentication to authenticate a user that does not have a password defined in manager.conf, resulting in a NULL pointer dereference. Scope: local bullseye: resolved (fixed in 1:1.4.3~dfsg-1) sid: resolved (fixed in 1:1.4.3~

CVE-2007-4521 [MEDIUM] CVE-2007-4521: asterisk - Asterisk Open Source 1.4.5 through 1.4.11, when configured to use an IMAP voicem... Asterisk Open Source 1.4.5 through 1.4.11, when configured to use an IMAP voicemail storage backend, allows remote attackers to cause a denial of service via an e-mail with an "invalid/corrupted" MIME body, which triggers a crash when the recipient listens to voicemail. Scope: local bullseye: resolved sid: resolved

CVE-2006-2898 [HIGH] CVE-2006-2898: asterisk - The IAX2 channel driver (chan_iax2) for Asterisk 1.2.x before 1.2.9 and 1.0.x be... The IAX2 channel driver (chan_iax2) for Asterisk 1.2.x before 1.2.9 and 1.0.x before 1.0.11 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via truncated IAX 2 (IAX2) video frames, which bypasses a length check and leads to a buffer overflow involving negative length check. NOTE: the vendor advisory claims that only a DoS is po

CVE-2006-4345 [HIGH] CVE-2006-4345: asterisk - Stack-based buffer overflow in channels/chan_mgcp.c in MGCP in Asterisk 1.0 thro... Stack-based buffer overflow in channels/chan_mgcp.c in MGCP in Asterisk 1.0 through 1.2.10 allows remote attackers to execute arbitrary code via a crafted audit endpoint (AUEP) response. Scope: local bullseye: resolved (fixed in 1:1.2.11.dfsg-1) sid: resolved (fixed in 1:1.2.11.dfsg-1)

CVE-2006-5444 [HIGH] CVE-2006-5444: asterisk - Integer overflow in the get_input function in the Skinny channel driver (chan_sk... Integer overflow in the get_input function in the Skinny channel driver (chan_skinny.c) in Asterisk 1.0.x before 1.0.12 and 1.2.x before 1.2.13, as used by Cisco SCCP phones, allows remote attackers to execute arbitrary code via a certain dlen value that passes a signed integer comparison and leads to a heap-based buffer overflow. Scope: local bullseye: resolved (fix

CVE-2006-1827 [MEDIUM] CVE-2006-1827: asterisk - Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and earlier allows r... Integer signedness error in format_jpeg.c in Asterisk 1.2.6 and earlier allows remote attackers to execute arbitrary code via a length value that passes a length check as a negative number, but triggers a buffer overflow when it is used as an unsigned length. Scope: local bullseye: resolved (fixed in 1:1.2.7.1.dfsg-1) sid: resolved (fixed in 1:1.2.7.1.dfsg-1)

CVE-2006-5445 [HIGH] CVE-2006-5445: asterisk - Unspecified vulnerability in the SIP channel driver (channels/chan_sip.c) in Ast... Unspecified vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk 1.2.x before 1.2.13 and 1.4.x before 1.4.0-beta3 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of "a real pvt structure" that uses more resources than necessary. Scope: local bullseye: resolved (fixed

CVE-2006-4346 [HIGH] CVE-2006-4346: asterisk - Asterisk 1.2.10 supports the use of client-controlled variables to determine fil... Asterisk 1.2.10 supports the use of client-controlled variables to determine filenames in the Record function, which allows remote attackers to (1) execute code via format string specifiers or (2) overwrite files via directory traversals involving unspecified vectors, as demonstrated by the CALLERIDNAME variable. Scope: local bullseye: resolved (fixed in 1:1.2.11.dfs