Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0871 to
the following vulnerability:
Reference: BUGTRAQ:20090310 AST-2009-002: Remote Crash Vulnerability in SIP channel driver
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/501656/100/0/threaded
Reference: CONFIRM: http://bugs.digium.com/view.php?id=13547
Reference: CONFIRM: http://bugs.digium.com/view.php?id=14417
Reference: CONFIRM: http://downloads.digium.com/pub/security/AST-2009-002.html
Reference: URL: http://www.securityfocus.com/bid/34070
Reference: URL: http://www.securitytracker.com/id?1021834
Reference: URL: http://secunia.com/advisories/34229
The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and
18.104.22.168; 1.6.0 before 22.214.171.124; 1.6.1 before 126.96.36.199-rc2; and Asterisk
Business Edition C.2.3, with the pedantic option enabled, allows
remote authenticated users to cause a denial of service (crash) via a
SIP INVITE request without any headers, which triggers a NULL pointer
dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp
Created asterisk tracking bugs for this issue
CVE-2009-0871 Affects: F10 [bug #489726]
CVE-2009-0871 Affects: F9 [bug #489727]
Fedora 9 and 10 should be updated to 188.8.131.52 which is now available (optionally, a patch to fix the issue is noted on the upstream AST-2009-002 advisory). For rawhide, 184.108.40.206-rc2 fixes this issue and should be updated.
asterisk-220.127.116.11-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Fixed asterisk packages are now in all current Fedora versions.