[Bug 956578] Re: Remote crash vulnerability in SIP channel driver

Launchpad Bug Tracker 956578 at bugs.launchpad.net
Tue Apr 24 12:41:06 UTC 2012 

This bug was fixed in the package asterisk - 1:1.8.10.1~dfsg-1ubuntu1

---------------
asterisk (1:1.8.10.1~dfsg-1ubuntu1) precise; urgency=low

  * Merge from Debian unstable. (LP: #987772, #956578, #956580, #956581)
  * Remaining changes:
    - debian/asterisk.init: chown /dev/dahdi
    - debian/backports/hardy: add file
    - debian/backports/asterisk.init.hardy: add file
    - Fix building on armhf with debian/patches/armhf-fixes:
      + Flatten linux-gnueabihf in configure to linux-gnu, in
        the same way that's already done for linux-gnueabi
  * Changes dropped from Ubuntu delta as no longer applicable:
    - debian/patches/backport-r312866.diff: Backported from upstream
    - debian/control: Build-depend on hardening-wrapper, now handled
      by dpkg-buildflags
    - debian/rules: Make use of hardening-wrapper

asterisk (1:1.8.10.1~dfsg-1) unstable; urgency=low

  [ Victor Seva ]
  * Update backports/squeeze script gmime2.6 -> gmime2.4

  [ Tzafrir Cohen ]
  * New upstrean bug-fix release.
    - Fixes "[CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and
      AST-2012-003 flaws" (Closes: #664411).
  * Patch gmime2.6 (Closes: #663998, #664004), also fixed Build-Depends.
  * Remove the text of RFC 3951 from the tarball. (Closes: #665937)

asterisk (1:1.8.10.0~dfsg-1) unstable; urgency=low

  [ Tzafrir Cohen ]
  * New upstrean release.
  * Build-depend on sqlite3 as well (Closes: #531759).

  [ Paul Belanger ]
  * debian/patch/chan_iax2-detach-thread-on-non-stop-exit:
    - Dropped; merged upstream

  [ Mark Purcell ]
  * New Release:
    - Fixes "SHA-1 code is doesn't allow modification" (Closes: #643703)
    - Fixes "Placing calls on hold fails with some IP phones" (Closes: #632518)
    - Fixes "Pass the correct value to ast_timer_set_rate() for IAX2
    trunking." (Closes: #661974)
    - Fixes "Call quality on IAX significantly worse than SIP" (Closes: #481702)
    - Fixes "New upstream release: 1.8.2.2" (Closes: #610811)
    - Fixes "asterisk german number pronunciation" (Closes: #402991)
    - Fixes "Why using version 1.6.2.9 - it's not LTS" (Closes: #612147)
    - Fixes "SRTP/ZRTP support for Asterisk" (Closes: #577686)
    - Fixes "fails to register SIP channels on ARM"  (Closes: #660240)
  * export CFLAGS LDFLAGS
    - Fixes "Hardening flags missing for menuselect" (Closes: #664086)
    - Fixes "enable hardening options" (Closes: #542741)

asterisk (1:1.8.8.2~dfsg-1) unstable; urgency=high

  * New upstream release, fixes AST-2012-001 (Closes: #656596).
  * Use CFLAGS and LDFLAGS from dpkg-buildflags (Closes: #653944).

asterisk (1:1.8.8.0~dfsg-1) unstable; urgency=high

  [ Faidon Liambotis ]
  * Fix Breaks/Conflicts to contain the epoch.
  * Urgency high since this resulted in file conflicts when upgrading from
    stable.
  * Patch reenable-pri-optional: Backport a patch from upstream to fix
    several PRI features being compiled-out and hence disabled.
  * Bump libpri-dev dependency to 1.4.12; it is not strictly needed but extra
    functionality is enabled at build-time.

  [ Tzafrir Cohen ]
  * New upstream release. Closes: #651552.
    - Patch reenable-pri-optional dropped: included upstream.
  * Officially remove asterisk-h323:
    - Break older versions, as it did not have a versioned Depends before.
    - Remove the package.
  * Update watch file to only check for 1.8.x tarballs.
  * Quote pathes in postinst script: Closes: #656208 (Pocos).

asterisk (1:1.8.7.1~dfsg-2) unstable; urgency=low

  * libncurses is a build dep afterall (Closes: #649431).

asterisk (1:1.8.7.1~dfsg-1) unstable; urgency=high

  [ Tzafrir Cohen ]
  * New upstream release (Closes: #647252):
    - Patch refix_bashism removed: applied upstream.
    - Patch openssl10 removed: applied upstream.
    - Patch gmime-2.4 removed: applied upstream.
    - Patch gcc46 removed - was a backport from upstream.
  * Disable chan_h323: broken with current h323plus, and not loved by
    upstream.
  * Patch chan_iax2-detach-thread-on-non-stop-exit: Hopefully plugs a
    memory leak.
  * Patch reinclude_docs: a copy of the included documentation that was
    removed.
  * Patch sparc32_disable: Remove pointless optimization for sparc64

  [ Paul Belanger ]
  * Bump libpri-dev to 1.4.11.
  * Ensure sub-packages with asterisk modules are the same version as the
    binary.
 -- Andrew Mitchell <ajmitch at ubuntu.com>   Tue, 24 Apr 2012 22:15:54 +1200

** Changed in: asterisk (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1183

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1184

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/956578

Title:
  Remote crash vulnerability in SIP channel driver

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/956578/+subscriptions

More information about the Ubuntu-server-bugs mailing list