Subject: pkg/33738: Asterisk in pkgsrc is old and has a security vulnerability.
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <dave@turbocat.de>
List: pkgsrc-bugs
Date: 06/15/2006 12:50:00
>Number:         33738
>Category:       pkg
>Synopsis:       Asterisk in pkgsrc is old and has a security vulnerability.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 15 12:50:00 +0000 2006
>Originator:     David Wetzel
>Release:        3.0
>Organization:
Turbocat's Development
>Environment:
All
>Description:
See http://www.asterisk.org/node/95

The Asterisk Development Team today released Asterisk 1.2.9.1 and Asterisk 1.0.11.1 to address a security vulnerability in the IAX2 channel driver (chan_iax2). The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial of service attacks and random Asterisk server crashes via a relatively trivial exploit.

All users are urged to upgrade as soon as they can practically do so, or ensure that they don't expose IAX2 services to the public if it is not necessary.

>How-To-Repeat:
Please upgrade the Asterisk version in Pkgsrc.

>Fix:
Please upgrade the Asterisk version in Pkgsrc.