VoIP Mailing List Archives :: View topic - [asterisk-users] AST-2016-002: File descriptor exhaustion in chan

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] AST-2016-002: File descriptor exhaustion in chan_sip

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

security at asterisk.org
Guest

Posted: Wed Feb 03, 2016 8:59 pm Post subject: [asterisk-users] AST-2016-002: File descriptor exhaustion in

Asterisk Project Security Advisory - AST-2016-002 Product Asterisk Summary File descriptor exhaustion in chan_sip Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Minor Exploits Known Yes Reported On September 17, 2015 Reported By Alexander Traud Posted On February 3, 2016 Last Updated On February 3, 2016 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name Pending Description Setting the sip.conf timert1 value to a value higher than 1245 can cause an integer overflow and result in large retransmit timeout times. These large timeout values hold system file descriptors hostage and can cause the system to run out of file descriptors. Resolution Setting the sip.conf timert1 value to 1245 or lower will not exhibit the vulnerability. The default timert1 value is 500. Asterisk has been patched to detect the integer overflow and calculate the previous retransmission timer value. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Asterisk Open Source 13.x All versions Certified Asterisk 1.8.28 All versions Certified Asterisk 11.6 All versions Certified Asterisk 13.1 All versions Corrected In Product Release Asterisk Open Source 11.21.1, 13.7.1 Certified Asterisk 11.6-cert12, 13.1-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.28.diff Certified Asterisk 1.8.28 http://downloads.asterisk.org/pub/security/AST-2016-002-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2016-002-13.1.diff Certified Asterisk 13.1 http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2016-002-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2016-002-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2016-002-13.diff Asterisk 13 Links https://issues.asterisk.org/jira/browse/ASTERISK-25397 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-002.pdf and http://downloads.digium.com/pub/security/AST-2016-002.html Revision History Date Editor Revisions Made September 29, 2015 Richard Mudgett Initial document created Asterisk Project Security Advisory - AST-2016-002 Copyright (c) 2015 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum