A denial of service flaw was found in the way asterisk processed certain requests to negotiate secure video stream, when the res_srtp Asterisk module has been loaded and video support has not been enabled. A remote attacker could provide a specially-crafted media stream negotiation request, which once processed by Asterisk would lead to asterisk daemon crash by processing crypto line for such media stream. References: [1] http://downloads.asterisk.org/pub/security/AST-2012-001.html [2] https://issues.asterisk.org/jira/browse/ASTERISK-19202 Upstream patch against the v1.8.x branch: [3] http://downloads.asterisk.org/pub/security/AST-2012-001-1.8.diff Upstream patch against the v1.10.x branch: [4] http://downloads.asterisk.org/pub/security/AST-2012-001-10.diff
This issue affects the versions of the asterisk package, as shipped with Fedora release of 15 and 16. Please schedule an update. -- This issue affects the version of the asterisk package, as shipped with Fedora EPEL 6 release. Please schedule an update.
CVE Request: [5] http://www.openwall.com/lists/oss-security/2012/01/20/16
Created asterisk tracking bugs for this issue Affects: fedora-all [bug 783490] Affects: epel-6 [bug 783491]
The CVE identifier of CVE-2012-0885 has been assigned to this issue: [6] http://www.openwall.com/lists/oss-security/2012/01/20/18