OpenPKG Security Advisory
OpenPKG-SA-2006.024
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2006.024 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2006.024 Advisory Published: 2009-07-05 03:36 UTC Issue Id (internal): OpenPKG-SI-20061019.01 Issue First Created: 2006-10-19 Issue Last Modified: 2006-11-28 Issue Revision: 06
Subject Name: Asterisk Subject Summary: Private Branch Exchange (PBX) for VoIP Subject Home: http://www.asterisk.org/ Subject Versions: * <= 1.2.12.1 Vulnerability Id: none Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: local system Attack Impact: arbitrary code execution Description: According to a vendor security advisory [1], a vulnerability exists in the Asterisk Private Branch Exchange (PBX) software [2]. This vulnerability would enable an attacker to remotely execute code as the user Asterisk is running under. It is not required that the "skinny.conf" file contains any valid phone entries, only that the "chan_skinny" module is loaded and operational (but which is not the default in OpenPKG's default Asterisk configuration). References: [1] http://www.asterisk.org/node/109 [2] http://www.asterisk.org/
Primary Package Name: asterisk Primary Package Home: http://openpkg.org/go/package/asterisk Affected Distribution: Affected Branch: Affected Package: OpenPKG Enterprise E1.0-SOLID asterisk-1.2.13-E1.0.0 OpenPKG Community 2-STABLE-20061018 asterisk-1.2.12.1-2.20061018 OpenPKG Community 2-STABLE asterisk-1.2.12.1-2.20061018 OpenPKG Community CURRENT asterisk-1.2.12.1-20061015 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID n/a OpenPKG Community 2-STABLE-20061018 asterisk-1.2.13-2.20061019 OpenPKG Community 2-STABLE asterisk-1.2.13-2.20061019 OpenPKG Community CURRENT asterisk-1.2.13-20061019
