From the Red Hat bugzilla (1, 2, 3):
CVE-2009-0871: The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and
1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk
Business Edition C.2.3, with the pedantic option enabled, allows
remote authenticated users to cause a denial of service (crash) via a
SIP INVITE request without any headers, which triggers a NULL pointer
dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp
functions.
CVE-2009-2346: The IAX2 protocol implementation in Asterisk Open Source 1.2.x before
1.2.35, 1.4.x before 1.4.26.2, 1.6.0.x before 1.6.0.15, and 1.6.1.x
before 1.6.1.6; Business Edition B.x.x before B.2.5.10, C.2.x before
C.2.4.3, and C.3.x before C.3.1.1; and s800i 1.3.x before 1.3.0.3
allows remote attackers to cause a denial of service (call-number
exhaustion) by initiating many IAX2 message exchanges, a related issue
to CVE-2008-3263.
CVE-2009-2726: On certain implementations of libc, the scanf family of functions uses an
unbounded amount of stack memory to repeatedly allocate string buffers
prior to conversion to the target type. Coupled with Asterisk's allocation
of thread stack sizes that are smaller than the default, an attacker may
exhaust stack memory in the SIP stack network thread by presenting
excessively long numeric strings in various fields.
Note that while this potential vulnerability has existed in Asterisk for a
very long time, it is only potentially exploitable in 1.6.1 and above,
since those versions are the first that have allowed SIP packets to exceed
1500 bytes total, which does not permit strings that are large enough to
crash Asterisk. (The number strings presented to us by the security
researcher were approximately 32,000 bytes long.)
Additionally note that while this can crash Asterisk, execution of
arbitrary code is not possible with this vector.
| 