Advisories » MGASA-2013-0266

Updated asterisk package fixes security vulnerabilities

Publication date: 30 Aug 2013
Modification date: 30 Aug 2013
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-5641 , CVE-2013-5642

Description

A remotely exploitable crash vulnerability exists in the SIP channel
driver if an ACK with SDP is received after the channel has been
terminated. The handling code incorrectly assumes that the channel
will always be present (CVE-2013-5641).

A remotely exploitable crash vulnerability exists in the SIP channel
driver if an invalid SDP is sent in a SIP request that defines media
descriptions   before connection information. The handling code
incorrectly attempts to reference the socket address information even
though that information has not yet been set (CVE-2013-5642).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=11094
• http://downloads.asterisk.org/pub/security/AST-2013-004.html
• http://downloads.asterisk.org/pub/security/AST-2013-005.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5641
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5642

SRPMS

3/core

• asterisk-11.5.1-1.mga3