Over on Bugtraq, another Asterisk vulnerability has been announced. Several buffer overflows affect the below version:

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 net-misc/asterisk = 1.2.17-r1
>= 1.2.21.1-r1

This one comes with an admonishment to upgrade to the latest patch:

All Asterisk users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/asterisk-1.2.17-r1”

This is the link to the announcement at Gentoo Linux. I was hoping to find the link to the actual patch over at Asterisk, but I don’t see the right reference yet. The CVE #’s are all from 2007, but the announcement seems to be from 2008. If anyone finds the link, drop me a line or leave it in the comments.

On a minor note, the Nortel Networks UNIStim IP Phone with firmware version 0604DAS is vulnerable to a ping of death. No patch yet, but keep your eye on Nortel’s Security Advisory site for a response from the company.