Last week the folks at Digium released 4 security advisories on their www.asterisk.org/security web site. They are:
- ASA-2007-014 – Stack Buffer Overflow in IAX2 channel driver
- ASA-2007-015 – Remote Crash Vulnerability in IAX2 Channel Driver
- ASA-2007-016 – Remote Crash Vulnerability in Skinny channel driver (note that the advisory PDF is actually at this link versus the one currently on their web page – UPDATE: The ASA-2007-016 web page has been fixed.)
- ASA-2007-017 – Remote Crash Vulnerability in STUN implementation
There are fixes for all the issues (basically, to upgrade to the current release of the Asterisk stream you are using) and if you are using Asterisk (or a derivative of Asterisk) we would encourage you to read these advisories and take the recommended actions.
On a side note, it’s definitely been great to see the changes Digium has brought to reporting security issues with Asterisk. First was the security portal at www.asterisk.org/security and then starting in April were these well done security advisory documents. Kudos to Kevin Fleming and the rest of the developer team there. (Thanks also to Kevin for starting to post these advisories to the VOIPSEC mailing list.)
Pingback: Liquidmatrix Security Digest » Security Briefing: July 24th