CVE-2008-1923
Published: 23 April 2008
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.
Notes
Author | Note |
---|---|
mdeslaur | fix was incomplete, see CVE-2008-1897 |
Priority
Status
Package | Release | Status |
---|---|---|
asterisk Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Not vulnerable
(1:1.4.17~dfsg-2ubuntu1)
|
|
intrepid |
Not vulnerable
(1:1.4.21.2~dfsg-1ubuntu3)
|
|
jaunty |
Not vulnerable
(1:1.4.21.2~dfsg-3ubuntu2)
|
|
karmic |
Not vulnerable
(1:1.4.21.2~dfsg-3ubuntu2)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://lists.digium.com/pipermail/asterisk-commits/2007-May/013260.html |