Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0871 to the following vulnerability: Name: CVE-2009-0871 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0871 Assigned: 20090311 Reference: BUGTRAQ:20090310 AST-2009-002: Remote Crash Vulnerability in SIP channel driver Reference: URL: http://www.securityfocus.com/archive/1/archive/1/501656/100/0/threaded Reference: CONFIRM: http://bugs.digium.com/view.php?id=13547 Reference: CONFIRM: http://bugs.digium.com/view.php?id=14417 Reference: CONFIRM: http://downloads.digium.com/pub/security/AST-2009-002.html Reference: BID:34070 Reference: URL: http://www.securityfocus.com/bid/34070 Reference: SECTRACK:1021834 Reference: URL: http://www.securitytracker.com/id?1021834 Reference: SECUNIA:34229 Reference: URL: http://secunia.com/advisories/34229 The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions.
Created asterisk tracking bugs for this issue CVE-2009-0871 Affects: F10 [bug #489726] CVE-2009-0871 Affects: F9 [bug #489727]
Fedora 9 and 10 should be updated to 1.6.0.6 which is now available (optionally, a patch to fix the issue is noted on the upstream AST-2009-002 advisory). For rawhide, 1.6.1.0-rc2 fixes this issue and should be updated.
asterisk-1.6.0.15-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Fixed asterisk packages are now in all current Fedora versions.