Asterisk did not limit the number of unauthenticated connections to vulnerable interfaces and did not limit the time unauthenticated clients remain connected to some interfaces. A remote attacker could open many subsequent connections to vulnerable Asterisk interfaces, leading to file descriptor resource exhaustion or possibly to disk space exhaustion (due Asterisk feature of logging failures to open new file descriptors into its log file). References: [1] http://downloads.asterisk.org/pub/security/AST-2011-005.html Upstream patches: [2] http://downloads.asterisk.org/pub/security/AST-2011-005-1.4.diff (against v1.4 branch) [3] http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.1.diff (against v1.6.1 branch) [4] http://downloads.asterisk.org/pub/security/AST-2011-005-1.6.2.diff (against v1.6.2 branch) [5] http://downloads.asterisk.org/pub/security/AST-2011-005-1.8.diff (against v1.8 branch)
This issue affects the versions of asterisk package, as shipped with Fedora release of 13 and 14. This issue affects the version of the asterisk package, as present within EPEL-6 repository. Please schedule an update.
Created asterisk tracking bugs for this issue Affects: fedora-all [bug 698918] Affects: epel-6 [bug 698919]
This is corrected via these builds that have the fixes from upstream: Fedora-13: asterisk-1.6.2.18-1.fc13 Fedora-14: asterisk-1.6.2.18-1.fc14 Fedora-15: asterisk-1.8.3.3-1.fc15 Fedora-Rawhide: asterisk-1.8.3.3-1.fc16 EPEL-6: asterisk-1.8.3.3-1.el6