Voice of VOIPSA

New versions of Asterisk fix denial of service flaw

June 6th, 2006 by David Endler

New versions of Asterisk were released today that fix a security vulnerability in the IAX2 channel driver:

The Asterisk Development Team today released Asterisk 1.2.9.1 and Asterisk 1.0.11.1 to address a security vulnerability in the IAX2 channel driver (chan_iax2). The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial of service attacks and random Asterisk server crashes via a relatively trivial exploit.

All users are urged to upgrade as soon as they can practically do so, or ensure that they don’t expose IAX2 services to the public if it is not necessary.

Slightly more detail about the flaw is available in the Changelog:

* channels/chan_iax2.c: ensure that the received number of bytes is
included in all IAX2 incoming frame analysis checks (fixes a
known vulnerability)

This entry was posted on Tuesday, June 6th, 2006 at 7:15 pm and is filed under VoIP Security, VoIP Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “New versions of Asterisk fix denial of service flaw”

Voice of VOIPSA » Blog Archive » Asterisk & IAX Client Library Buffer Overflow Advisories Says:
June 14th, 2006 at 4:08 pm
[...] Updated software releases and/or patches have been released, which are the same patches that David Endler posted about earlier this week. [...]

New versions of Asterisk fix denial of service flaw

One Response to “New versions of Asterisk fix denial of service flaw”

Leave a Reply

Subscribe

Categories

Contributors

Archives

Blogroll

VOIPSA Member Blogs

Recent Posts