fmII
Fri, Jul 25th home | browse | articles | contact | chat | submit | faq | newsletter | about | stats | scoop 14:00 UTC
in
Section
login «
register «
recover password «
[Article] add comment [Article]

 Debian: New asterisk packages fix SQL injection
 by Patrick Lenz, in Security - Sun, Dec 9th 2007 14:19 UTC

Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit performs insufficient sanitising of call-related data, which may lead to SQL injection. Fixed packages are available from security.debian.org.

Links: security.debian.org 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1417-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
December 02, 2007                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : asterisk
Vulnerability  : missing input sanitising
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-6170

Tilghman Lesher discovered that the logging engine of Asterisk, a free
software PBX and telephony toolkit performs insufficient sanitising of
call-related data, which may lead to SQL injection.

For the stable distribution (etch), this problem has been fixed in
version 1:1.2.13~dfsg-2etch2. Updated packages for ia64 will be provided
later.

For the old stable distribution (sarge), this problem has been fixed
in version asterisk 1:1.0.7.dfsg.1-2sarge6.

We recommend that you upgrade your asterisk packages.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (oldstable)
- ----------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6.diff.gz
   Size/MD5 checksum:    73711 44d028cde298e8f7b284f1e5f23e282b
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz
   Size/MD5 checksum:  2929488 0d0f718ccd7a06ab998c3f637df294c0
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6.dsc
   Size/MD5 checksum:     1299 cba7066ff71b2ff473008c93a834094b

Architecture independent packages:

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge6_all.deb
   Size/MD5 checksum:  1180744 5991109424e0f9e1dbdb7f5638085591
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge6_all.deb
   Size/MD5 checksum:  1578186 efebc4a9928065b0c559539000e5e71f
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge6_all.deb
   Size/MD5 checksum:    83976 013903b5a38c5813811587fb638514fb
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge6_all.deb
   Size/MD5 checksum:    28968 9df0fbd4b3a8d909aaf0cf265881ea58
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge6_all.deb
   Size/MD5 checksum:    62190 d5a4064aa448829ea30efdc8b0728704

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_alpha.deb
   Size/MD5 checksum:  1503330 19cf64b0500b5f32d5d7fabbedff844f
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_alpha.deb
   Size/MD5 checksum:    32350 cb51cc369b6af13d30cb89fea320cad2
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_alpha.deb
   Size/MD5 checksum:    21768 fcd35799afddc4047249c7e97b2f38cd

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_amd64.deb
   Size/MD5 checksum:    22042 ebb7b2beddb130b8a4c131e054f371e3
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_amd64.deb
   Size/MD5 checksum:  1334162 ed16172e3931d0068b2501b851645156
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_amd64.deb
   Size/MD5 checksum:    31436 e20a91ebba5f67900bc8b443200f11f6

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_arm.deb
   Size/MD5 checksum:    30288 d3fed93376c7f4d7bcce1f3709bcb23a
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_arm.deb
   Size/MD5 checksum:    22046 8f2c8c14dc0bdd4927d3221bd79afe8c
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_arm.deb
   Size/MD5 checksum:  1285322 48c3e537c9092b0e13bf024fa280f08a

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_hppa.deb
   Size/MD5 checksum:    22044 8e75a899a7b963e3cc6a777692203757
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_hppa.deb
   Size/MD5 checksum:    32078 e8ed693449fc423177ad9ed194d37e27
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_hppa.deb
   Size/MD5 checksum:  1448902 1497b1c6497658696d293ba3f39d4525

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_i386.deb
   Size/MD5 checksum:    30464 a0a8a5d35dd06ed8be8af8acdc98f736
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_i386.deb
   Size/MD5 checksum:    22044 ecae3e71a92c4f01b1a6ead8e97924a7
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_i386.deb
   Size/MD5 checksum:  1175934 6cb2fe293e3d2381ee95cbf50644ac44

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_ia64.deb
   Size/MD5 checksum:  1772256 87fc47caec0b66f2b0f4f00ddf6daa27
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_ia64.deb
   Size/MD5 checksum:    33574 ec8ecec8c3dbb5154404cacb3c3a47a9
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_ia64.deb
   Size/MD5 checksum:    22044 e2bb42321d579ba257a77818226e6b69

m68k architecture (Motorola Mc680x0)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_m68k.deb
   Size/MD5 checksum:  1185716 6e3fe558a2ec44e05043186991c41093
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_m68k.deb
   Size/MD5 checksum:    30820 77b9de99f9f5ad1857568e39f63b8d4c
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_m68k.deb
   Size/MD5 checksum:    22054 b069cd54d7252acdd295d59befb820c4

mips architecture (MIPS (Big Endian))

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_mips.deb
   Size/MD5 checksum:  1264864 469aa61e6d902fffed273f29a2a842f0
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_mips.deb
   Size/MD5 checksum:    22052 5b9e306014a84165740901274def6a2c
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_mips.deb
   Size/MD5 checksum:    30038 7d61fbba843d52b589f953bb35b73b98

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_mipsel.deb
   Size/MD5 checksum:    29970 982ca3d10deced2bd6840fcd57f454e3
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_mipsel.deb
   Size/MD5 checksum:    22046 81aea013d81cc8221cc8a6a5ce9bf3fc
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_mipsel.deb
   Size/MD5 checksum:  1271080 d65c1225c68b7dd66094084b9114f2d1

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_powerpc.deb
   Size/MD5 checksum:  1422816 b463ee475325b5cf149b70d428525ffc
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_powerpc.deb
   Size/MD5 checksum:    22048 3b5dd6f2ff7fb45e7f17cb335fcbcfa3
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_powerpc.deb
   Size/MD5 checksum:    31768 12ae4e4e62b76af4fda589e23d9b1feb

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_s390.deb
   Size/MD5 checksum:  1313296 76be9c71e1ea8b333d4fa3a3288befbf
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_s390.deb
   Size/MD5 checksum:    22046 12e91803d4abc7b796c8ce84ae8a036d
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_s390.deb
   Size/MD5 checksum:    31452 b176db899110dcf960d39e995ac554a3

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_sparc.deb
   Size/MD5 checksum:    30428 332ef000a128111344360c7f2c8c8d24
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_sparc.deb
   Size/MD5 checksum:    22050 ec745f87b6fb7d858d8f975d8f55dd30
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_sparc.deb
   Size/MD5 checksum:  1275162 4ba784cdb44193991fc5d69e3eb6b59c

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch2.dsc
   Size/MD5 checksum:     1488 5bc27dcf0a82a73e8a79ad78b17277aa
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz
   Size/MD5 checksum:  3835589 f8ee088b2e4feffe2b35d78079f90b69
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch2.diff.gz
   Size/MD5 checksum:   179646 5d5d4999c1cbd810b7aa9bb2ed89967d

Architecture independent packages:

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.2.13~dfsg-2etch2_all.deb
   Size/MD5 checksum:   169978 7bcb107cd321b2649bf2638088a8f7f7
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch2_all.deb
   Size/MD5 checksum:   146506 a73171bc89be77d7d66fa86aee7ce521
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.2.13~dfsg-2etch2_all.deb
   Size/MD5 checksum:  1499934 3a7d5bc17573ecb07432ebac20247d00
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-2etch2_all.deb
   Size/MD5 checksum:  1504618 2523347e9ce20b9f83616c4a51507b0d
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-2etch2_all.deb
   Size/MD5 checksum:    73776 cd61cec42645c392fa4daa6fee0f3a7b
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.2.13~dfsg-2etch2_all.deb
   Size/MD5 checksum:   131684 f9e7c93285e12f5cbb3665a130f39750

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_alpha.deb
   Size/MD5 checksum:   136988 f2c7839a68c5ec1ea803fb3f49cfd939
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_alpha.deb
   Size/MD5 checksum:  1934250 3925790d7f8397680da3bd0b805cff84
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_alpha.deb
   Size/MD5 checksum:  1897664 40a01e3530bb95b00eaccb522e7fbb2d

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_amd64.deb
   Size/MD5 checksum:   133208 c5a4da5c660f6f2d10c5dfc28db3bdae
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_amd64.deb
   Size/MD5 checksum:  1779438 6d02381aac4b47d49ad78bdfc1322f2e
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_amd64.deb
   Size/MD5 checksum:  1744402 c79f28ee28ea91c22fa70a261464f6e0

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_arm.deb
   Size/MD5 checksum:  1667594 e1461ab8028dda720c70a4c9122380a6
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_arm.deb
   Size/MD5 checksum:   136364 b317f608dfe36d7c3b4c57b47922b08a
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_arm.deb
   Size/MD5 checksum:  1700884 5c247f91c863f70d7f1d7c55cecc7944

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_hppa.deb
   Size/MD5 checksum:  1869254 ddfd48013d5b55c1c29c3c261c07ba9d
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_hppa.deb
   Size/MD5 checksum:   145166 d3ddaf5fdb652e7e17a6ed9987c212cf
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_hppa.deb
   Size/MD5 checksum:  1830482 0d2310cb2e78f3cfafc85d5ac95156f2

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_i386.deb
   Size/MD5 checksum:  1615842 e1bd13a9e3f86a0f8a1d0ffa941ea2f0
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_i386.deb
   Size/MD5 checksum:   130902 13682de2a18935813a5899bb203f3341
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_i386.deb
   Size/MD5 checksum:  1649108 d8370ac6b5b6768cdcd9a89a9e5435d3

mips architecture (MIPS (Big Endian))

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_mips.deb
   Size/MD5 checksum:  1694384 eebce4382cb4d77fd3d6e7016b485be0
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_mips.deb
   Size/MD5 checksum:   129960 366db74d022a19358ebd8a417f5735e1
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_mips.deb
   Size/MD5 checksum:  1661822 674635501bfd694c16e169ee5a5f4ef3

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_mipsel.deb
   Size/MD5 checksum:  1663344 1b6ba1daed2ff8bc81ac20a710cb2ee5
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_mipsel.deb
   Size/MD5 checksum:  1695762 fa651e7dada470b7704a433069ca52fd
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_mipsel.deb
   Size/MD5 checksum:   129642 20765826499d3a70cdd24685beff94d3

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_powerpc.deb
   Size/MD5 checksum:  1863288 7d0c03b1bee1a65baca621f9486737f3
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_powerpc.deb
   Size/MD5 checksum:   133018 b322ad1ee9cffad5264b2182ef843e77
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_powerpc.deb
   Size/MD5 checksum:  1824944 8aa09064033e526f86cd9fa4c99bd4ff

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_s390.deb
   Size/MD5 checksum:   136542 d344d2500a3ae56204a7df49fde483f5
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_s390.deb
   Size/MD5 checksum:  1780086 7334a3e2feb674c36c9047ead63f9caf
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_s390.deb
   Size/MD5 checksum:  1744120 29ded42531751723b0b9ce18f9f4315d

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_sparc.deb
   Size/MD5 checksum:   132140 b88c46102c3fa6e3e0984efa51e57e64
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_sparc.deb
   Size/MD5 checksum:  1663704 8162cd98c1628bdf2a61a37099f43f30
 http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_sparc.deb
   Size/MD5 checksum:  1631588 5fbbc2ab0bae1f4549d0186280ce170e


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHUp85Xm3vHE4uyloRAsTXAJ4uP19dVvidyti04d/W8ofTTHXrYwCcC6jN
hCe2TE4FFKOd3i2mReZa4TI=
=FbEr
-----END PGP SIGNATURE-----

[add comment]

 Referenced projects

Asterisk - An Open Source PBX for Linux.



© Copyright 2008 SourceForge, Inc., All Rights Reserved.
About freshmeat.net •  Privacy Statement •  Terms of Use •  Trademark Guidelines •  Advertise •  Contact Us • 
ThinkGeek •  Slashdot  •  ITMJ •  Linux.com •  NewsForge  •  SourceForge.net  •  Surveys •  Jobs •  PriceGrabber