Prev-20 Home Next-20 6 msg How to originate a call from console CLI ? 1 msg Sip 1.4.x DTMF detection not working 6 msg Newb Question AST-2007-026 - SQL Injection issue in cdr_pgsql \ Asterisk Security Team (29 Nov 2007) 2 msg Call Parking/Pickup on a single button 3 msg Adding new recorded phrases to the release 10 msg Using existing extensions.conf macros,and co-ha... 1 msg AST-2007-025 - SQL Injection issue inres_config... 1 msg Asterisk 1.4.15 and 1.2.25 Released 2 msg Transfering IAX context 1 msg Protection switching on PRIs. 3 msg SLA: Handling of errors in outgoing call 5 msg Problems with Asterisk 1.4.14 and Queue app 3 msg least cost routing and asterisk-1.4 2 msg roundrobin and rrmemory with pre-defined agento... 1 msg Re: asterisk-users Digest, Vol 40, Issue 82 2 msg Hylafax 1 msg Needed Hardware 1 msg CDR n Dial A option 1 msg [Copfilter] Copy of quarantined email - *** SPA... Prev-20 Home Next-20

Prev-Msg Prev-Thread Asterisk-users Nov-2007 Next-Thread Next-Msg Subject: AST-2007-026 - SQL Injection issue in cdr_pgsql Group: Asterisk-users From: Asterisk Security Team Date: 29 Nov 2007 Asterisk Project Security Advisory - AST-2007-026 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | SQL Injection issue in cdr_pgsql | |----------------------+-------------------------------------------------| | Nature of Advisory | SQL Injection | |----------------------+-------------------------------------------------| | Susceptibility | Remote Authenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Moderate | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | November 29, 2007 | |----------------------+-------------------------------------------------| | Reported By | Tilghman Lesher <tlesher AT digium DOT com> | |----------------------+-------------------------------------------------| | Posted On | November 29, 2007 | |----------------------+-------------------------------------------------| | Last Updated On | November 29, 2007 | |----------------------+-------------------------------------------------| | Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> | |----------------------+-------------------------------------------------| | CVE Name | CVE-2007-6170 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Input buffers were not properly escaped when providing | | | the ANI and DNIS strings to the Call Detail Record | | | Postgres logging engine. An attacker could potentially | | | compromise the administrative database containing users' | | | usernames and passwords used for SIP authentication, | | | among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Workaround | Convert your installation to use cdr_odbc with the | | | PgsqlODBC driver. This module provides similar | | | functionality but is not vulnerable. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to Asterisk release 1.4.15 or higher. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |-------------------------------+-------------+--------------------------| | Asterisk Open Source | 1.0.x | All versions | |-------------------------------+-------------+--------------------------| | Asterisk Open Source | 1.2.x | 1.2.24 and previous | |-------------------------------+-------------+--------------------------| | Asterisk Open Source | 1.4.x | 1.4.14 and previous | |-------------------------------+-------------+--------------------------| | Asterisk Business Edition | A.x.x | All versions | |-------------------------------+-------------+--------------------------| | Asterisk Business Edition | B.x.x | B.2.3.3 and previous | |-------------------------------+-------------+--------------------------| | Asterisk Business Edition | C.x.x | C.1.0-beta5 and previous | |-------------------------------+-------------+--------------------------| | AsteriskNOW | pre-release | None | |-------------------------------+-------------+--------------------------| | Asterisk Appliance Developer | 0.x.x | None | | Kit | | | |-------------------------------+-------------+--------------------------| | s800i (Asterisk Appliance) | 1.0.x | None | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |-------------------------------------------+----------------------------| | Asterisk Open Source | 1.2.25 | |-------------------------------------------+----------------------------| | Asterisk Open Source | 1.4.15 | |-------------------------------------------+----------------------------| | Asterisk Business Edition | B.2.3.4 | |-------------------------------------------+----------------------------| | Asterisk Business Edition | C.1.0-beta6 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2007-026.pdf and | | http://downloads.digium.com/pub/security/AST-2007-026.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |----------------+--------------------+----------------------------------| | 2007-11-29 | Tilghman Lesher | Initial release | |----------------+--------------------+----------------------------------| | 2007-11-29 | Tilghman Lesher | Added CVE, ABE C version | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2007-026 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users Prev-Msg Prev-Thread Asterisk-users Nov-2007 Next-Thread Next-Msg

© 2004-2008 readlist.com