Debian: New asterisk packages fix SQL injection

    Date02 Dec 2007
    CategoryDebian
    4805
    Posted ByLinuxSecurity Advisories
    Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit performs insufficient sanitising of call-related data, which may lead to SQL injection.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1417-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                       Moritz Muehlenhoff
    December 02, 2007                     http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : asterisk
    Vulnerability  : missing input sanitising
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2007-6170
    
    Tilghman Lesher discovered that the logging engine of Asterisk, a free
    software PBX and telephony toolkit performs insufficient sanitising of
    call-related data, which may lead to SQL injection.
    
    For the stable distribution (etch), this problem has been fixed in
    version 1:1.2.13~dfsg-2etch2. Updated packages for ia64 will be provided
    later.
    
    For the old stable distribution (sarge), this problem has been fixed
    in version asterisk 1:1.0.7.dfsg.1-2sarge6.
    
    We recommend that you upgrade your asterisk packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian 3.1 (oldstable)
    - ----------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6.diff.gz
        Size/MD5 checksum:    73711 44d028cde298e8f7b284f1e5f23e282b
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1.orig.tar.gz
        Size/MD5 checksum:  2929488 0d0f718ccd7a06ab998c3f637df294c0
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6.dsc
        Size/MD5 checksum:     1299 cba7066ff71b2ff473008c93a834094b
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.0.7.dfsg.1-2sarge6_all.deb
        Size/MD5 checksum:  1180744 5991109424e0f9e1dbdb7f5638085591
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.0.7.dfsg.1-2sarge6_all.deb
        Size/MD5 checksum:  1578186 efebc4a9928065b0c559539000e5e71f
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.0.7.dfsg.1-2sarge6_all.deb
        Size/MD5 checksum:    83976 013903b5a38c5813811587fb638514fb
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.0.7.dfsg.1-2sarge6_all.deb
        Size/MD5 checksum:    28968 9df0fbd4b3a8d909aaf0cf265881ea58
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.0.7.dfsg.1-2sarge6_all.deb
        Size/MD5 checksum:    62190 d5a4064aa448829ea30efdc8b0728704
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_alpha.deb
        Size/MD5 checksum:  1503330 19cf64b0500b5f32d5d7fabbedff844f
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_alpha.deb
        Size/MD5 checksum:    32350 cb51cc369b6af13d30cb89fea320cad2
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_alpha.deb
        Size/MD5 checksum:    21768 fcd35799afddc4047249c7e97b2f38cd
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_amd64.deb
        Size/MD5 checksum:    22042 ebb7b2beddb130b8a4c131e054f371e3
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_amd64.deb
        Size/MD5 checksum:  1334162 ed16172e3931d0068b2501b851645156
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_amd64.deb
        Size/MD5 checksum:    31436 e20a91ebba5f67900bc8b443200f11f6
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_arm.deb
        Size/MD5 checksum:    30288 d3fed93376c7f4d7bcce1f3709bcb23a
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_arm.deb
        Size/MD5 checksum:    22046 8f2c8c14dc0bdd4927d3221bd79afe8c
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_arm.deb
        Size/MD5 checksum:  1285322 48c3e537c9092b0e13bf024fa280f08a
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_hppa.deb
        Size/MD5 checksum:    22044 8e75a899a7b963e3cc6a777692203757
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_hppa.deb
        Size/MD5 checksum:    32078 e8ed693449fc423177ad9ed194d37e27
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_hppa.deb
        Size/MD5 checksum:  1448902 1497b1c6497658696d293ba3f39d4525
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_i386.deb
        Size/MD5 checksum:    30464 a0a8a5d35dd06ed8be8af8acdc98f736
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_i386.deb
        Size/MD5 checksum:    22044 ecae3e71a92c4f01b1a6ead8e97924a7
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_i386.deb
        Size/MD5 checksum:  1175934 6cb2fe293e3d2381ee95cbf50644ac44
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_ia64.deb
        Size/MD5 checksum:  1772256 87fc47caec0b66f2b0f4f00ddf6daa27
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_ia64.deb
        Size/MD5 checksum:    33574 ec8ecec8c3dbb5154404cacb3c3a47a9
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_ia64.deb
        Size/MD5 checksum:    22044 e2bb42321d579ba257a77818226e6b69
    
    m68k architecture (Motorola Mc680x0)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_m68k.deb
        Size/MD5 checksum:  1185716 6e3fe558a2ec44e05043186991c41093
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_m68k.deb
        Size/MD5 checksum:    30820 77b9de99f9f5ad1857568e39f63b8d4c
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_m68k.deb
        Size/MD5 checksum:    22054 b069cd54d7252acdd295d59befb820c4
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_mips.deb
        Size/MD5 checksum:  1264864 469aa61e6d902fffed273f29a2a842f0
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_mips.deb
        Size/MD5 checksum:    22052 5b9e306014a84165740901274def6a2c
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_mips.deb
        Size/MD5 checksum:    30038 7d61fbba843d52b589f953bb35b73b98
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_mipsel.deb
        Size/MD5 checksum:    29970 982ca3d10deced2bd6840fcd57f454e3
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_mipsel.deb
        Size/MD5 checksum:    22046 81aea013d81cc8221cc8a6a5ce9bf3fc
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_mipsel.deb
        Size/MD5 checksum:  1271080 d65c1225c68b7dd66094084b9114f2d1
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_powerpc.deb
        Size/MD5 checksum:  1422816 b463ee475325b5cf149b70d428525ffc
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_powerpc.deb
        Size/MD5 checksum:    22048 3b5dd6f2ff7fb45e7f17cb335fcbcfa3
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_powerpc.deb
        Size/MD5 checksum:    31768 12ae4e4e62b76af4fda589e23d9b1feb
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_s390.deb
        Size/MD5 checksum:  1313296 76be9c71e1ea8b333d4fa3a3288befbf
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_s390.deb
        Size/MD5 checksum:    22046 12e91803d4abc7b796c8ce84ae8a036d
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_s390.deb
        Size/MD5 checksum:    31452 b176db899110dcf960d39e995ac554a3
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-gtk-console_1.0.7.dfsg.1-2sarge6_sparc.deb
        Size/MD5 checksum:    30428 332ef000a128111344360c7f2c8c8d24
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.0.7.dfsg.1-2sarge6_sparc.deb
        Size/MD5 checksum:    22050 ec745f87b6fb7d858d8f975d8f55dd30
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.0.7.dfsg.1-2sarge6_sparc.deb
        Size/MD5 checksum:  1275162 4ba784cdb44193991fc5d69e3eb6b59c
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch2.dsc
        Size/MD5 checksum:     1488 5bc27dcf0a82a73e8a79ad78b17277aa
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz
        Size/MD5 checksum:  3835589 f8ee088b2e4feffe2b35d78079f90b69
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch2.diff.gz
        Size/MD5 checksum:   179646 5d5d4999c1cbd810b7aa9bb2ed89967d
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.2.13~dfsg-2etch2_all.deb
        Size/MD5 checksum:   169978 7bcb107cd321b2649bf2638088a8f7f7
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch2_all.deb
        Size/MD5 checksum:   146506 a73171bc89be77d7d66fa86aee7ce521
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.2.13~dfsg-2etch2_all.deb
        Size/MD5 checksum:  1499934 3a7d5bc17573ecb07432ebac20247d00
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-2etch2_all.deb
        Size/MD5 checksum:  1504618 2523347e9ce20b9f83616c4a51507b0d
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-2etch2_all.deb
        Size/MD5 checksum:    73776 cd61cec42645c392fa4daa6fee0f3a7b
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.2.13~dfsg-2etch2_all.deb
        Size/MD5 checksum:   131684 f9e7c93285e12f5cbb3665a130f39750
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_alpha.deb
        Size/MD5 checksum:   136988 f2c7839a68c5ec1ea803fb3f49cfd939
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_alpha.deb
        Size/MD5 checksum:  1934250 3925790d7f8397680da3bd0b805cff84
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_alpha.deb
        Size/MD5 checksum:  1897664 40a01e3530bb95b00eaccb522e7fbb2d
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_amd64.deb
        Size/MD5 checksum:   133208 c5a4da5c660f6f2d10c5dfc28db3bdae
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_amd64.deb
        Size/MD5 checksum:  1779438 6d02381aac4b47d49ad78bdfc1322f2e
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_amd64.deb
        Size/MD5 checksum:  1744402 c79f28ee28ea91c22fa70a261464f6e0
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_arm.deb
        Size/MD5 checksum:  1667594 e1461ab8028dda720c70a4c9122380a6
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_arm.deb
        Size/MD5 checksum:   136364 b317f608dfe36d7c3b4c57b47922b08a
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_arm.deb
        Size/MD5 checksum:  1700884 5c247f91c863f70d7f1d7c55cecc7944
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_hppa.deb
        Size/MD5 checksum:  1869254 ddfd48013d5b55c1c29c3c261c07ba9d
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_hppa.deb
        Size/MD5 checksum:   145166 d3ddaf5fdb652e7e17a6ed9987c212cf
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_hppa.deb
        Size/MD5 checksum:  1830482 0d2310cb2e78f3cfafc85d5ac95156f2
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_i386.deb
        Size/MD5 checksum:  1615842 e1bd13a9e3f86a0f8a1d0ffa941ea2f0
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_i386.deb
        Size/MD5 checksum:   130902 13682de2a18935813a5899bb203f3341
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_i386.deb
        Size/MD5 checksum:  1649108 d8370ac6b5b6768cdcd9a89a9e5435d3
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_mips.deb
        Size/MD5 checksum:  1694384 eebce4382cb4d77fd3d6e7016b485be0
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_mips.deb
        Size/MD5 checksum:   129960 366db74d022a19358ebd8a417f5735e1
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_mips.deb
        Size/MD5 checksum:  1661822 674635501bfd694c16e169ee5a5f4ef3
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_mipsel.deb
        Size/MD5 checksum:  1663344 1b6ba1daed2ff8bc81ac20a710cb2ee5
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_mipsel.deb
        Size/MD5 checksum:  1695762 fa651e7dada470b7704a433069ca52fd
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_mipsel.deb
        Size/MD5 checksum:   129642 20765826499d3a70cdd24685beff94d3
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_powerpc.deb
        Size/MD5 checksum:  1863288 7d0c03b1bee1a65baca621f9486737f3
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_powerpc.deb
        Size/MD5 checksum:   133018 b322ad1ee9cffad5264b2182ef843e77
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_powerpc.deb
        Size/MD5 checksum:  1824944 8aa09064033e526f86cd9fa4c99bd4ff
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_s390.deb
        Size/MD5 checksum:   136542 d344d2500a3ae56204a7df49fde483f5
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_s390.deb
        Size/MD5 checksum:  1780086 7334a3e2feb674c36c9047ead63f9caf
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_s390.deb
        Size/MD5 checksum:  1744120 29ded42531751723b0b9ce18f9f4315d
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch2_sparc.deb
        Size/MD5 checksum:   132140 b88c46102c3fa6e3e0984efa51e57e64
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch2_sparc.deb
        Size/MD5 checksum:  1663704 8162cd98c1628bdf2a61a37099f43f30
      http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch2_sparc.deb
        Size/MD5 checksum:  1631588 5fbbc2ab0bae1f4549d0186280ce170e
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.