VoIP Mailing List Archives :: View topic - [asterisk-users] AST-2015-001: File descriptor leak when incompatible codecs are offered

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] AST-2015-001: File descriptor leak when incompatible codecs are offered

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

security at asterisk.org
Guest

Posted: Wed Jan 28, 2015 6:31 pm Post subject: [asterisk-users] AST-2015-001: File descriptor leak when inc

Asterisk Project Security Advisory - AST-2015-001 Product Asterisk Summary File descriptor leak when incompatible codecs are offered Nature of Advisory Resource exhaustion Susceptibility Remote Authenticated Sessions Severity Major Exploits Known No Reported On 6 January, 2015 Reported By Y Ateya Posted On 9 January, 2015 Last Updated On January 28, 2015 Advisory Contact Mark Michelson <mmichelson AT digium DOT com> CVE Name Pending Description Asterisk may be configured to only allow specific audio or video codecs to be used when communicating with a particular endpoint. When an endpoint sends an SDP offer that only lists codecs not allowed by Asterisk, the offer is rejected. However, in this case, RTP ports that are allocated in the process are not reclaimed. This issue only affects the PJSIP channel driver in Asterisk. Users of the chan_sip channel driver are not affected. As the resources are allocated after authentication, this issue only affects communications with authenticated endpoints. Resolution The reported leak has been patched. Affected Versions Product Release Series Asterisk Open Source 1.8.x Unaffected Asterisk Open Source 11.x Unaffected Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 Unaffected Certified Asterisk 11.6 Unaffected Corrected In Product Release Asterisk Open Source 12.8.1, 13.1.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-24666 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2015-001.pdf and http://downloads.digium.com/pub/security/AST-2015-001.html Revision History Date Editor Revisions Made 9 January, 2015 Mark Michelson Initial creation Asterisk Project Security Advisory - AST-2015-001 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum