|
|
Bug#315532: Asterisk Manager Interface Overflow: msg#00236linux.debian.packages.voip.devel
Bug #315532 has been rasied as grave security related bug against asterisk-1.0.7, which is included in the released sarge. It refers to a potential overflow in the Asterisk Manager Interface, which is not enabled by default in the Debian asterisk package. In addition the Debian asterisk package is not run as root as upstream, but rather as the user asterisk with limited privs. It has been pointed out that a user of the manager interface can execute arbitary commands anyway, so the potential for additional privs is again limited even in the case that the manager interface is enabled and exploited. My query is does this warrant an release from the security team of the relevant asterisk package? The patch is included against the bug report. Or can we close this bug? Mark |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Bug#319051: acknowledged by developer (Bug#318742: fixed in gnomemeeting 1.2.1-2): 00236, Rémy Saissy |
|---|---|
| Next by Date: | Bug#315532: Asterisk Manager Interface Overflow: 00236, Steve Langasek |
| Previous by Thread: | Bug#318742: marked as done (gnomemeeting: uninstallable [C++ transition])i: 00236, Debian Bug Tracking System |
| Next by Thread: | Bug#315532: Asterisk Manager Interface Overflow: 00236, Steve Langasek |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |