Date: Fri, 20 Jan 2012 16:46:42 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com, Joshua Colp <jcolp@...ium.com> Subject: CVE Request -- Asterisk AST-2012-001 / Remote DoS while processing crypto line for media stream with non-existing RTP Hello Kurt, Steve, vendors, a denial of service flaw was found in the way asterisk processed certain requests to negotiate secure video stream, when the res_srtp Asterisk module has been loaded and video support has not been enabled. A remote attacker could provide a specially-crafted media stream negotiation request, which once processed by Asterisk would lead to asterisk daemon crash by processing crypto line for such media stream. References:  http://downloads.asterisk.org/pub/security/AST-2012-001.html  https://issues.asterisk.org/jira/browse/ASTERISK-19202  https://bugzilla.redhat.com/show_bug.cgi?id=783487 Upstream patch against the v1.8.x branch:  http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff Upstream patch against the v1.10.x branch:  http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff Could you allocate a CVE identifier for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.