Mageia alert MGASA-2013-0266 (asterisk)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2013-0266: Updated asterisk package fixes security vulnerabilities 
Date:
    	     
 
Fri, 30 Aug 2013 19:36:09 +0200
Message-ID:
    	     
 
<20130830173609.557774878A@valstar.mageia.org>
Archive-link:
    	     
 
Article, Thread
              
MGASA-2013-0266 - Updated asterisk package fixes security vulnerabilities

Publication date: 30 Aug 2013
URL: http://advisories.mageia.org/MGASA-2013-0266.html
Type: security
Affected Mageia releases: 3
CVE: CVE-2013-5641,
     CVE-2013-5642

Description:
A remotely exploitable crash vulnerability exists in the SIP channel
driver if an ACK with SDP is received after the channel has been
terminated. The handling code incorrectly assumes that the channel
will always be present (CVE-2013-5641).

A remotely exploitable crash vulnerability exists in the SIP channel
driver if an invalid SDP is sent in a SIP request that defines media
descriptions   before connection information. The handling code
incorrectly attempts to reference the socket address information even
though that information has not yet been set (CVE-2013-5642).

References:
- https://bugs.mageia.org/show_bug.cgi?id=11094
- http://downloads.asterisk.org/pub/security/AST-2013-004.html
- http://downloads.asterisk.org/pub/security/AST-2013-005.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5641
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5642

SRPMS:
- 3/core/asterisk-11.5.1-1.mga3