advisories/11094.adv

type: security
subject: Updated asterisk package fixes security vulnerabilities
CVE:
 - CVE-2013-5641
 - CVE-2013-5642
src:
  3:
   core:
     - asterisk-11.5.1-1.mga3
description: |
  A remotely exploitable crash vulnerability exists in the SIP channel
  driver if an ACK with SDP is received after the channel has been
  terminated. The handling code incorrectly assumes that the channel
  will always be present (CVE-2013-5641).
  
  A remotely exploitable crash vulnerability exists in the SIP channel
  driver if an invalid SDP is sent in a SIP request that defines media
  descriptions   before connection information. The handling code
  incorrectly attempts to reference the socket address information even
  though that information has not yet been set (CVE-2013-5642).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=11094
 - http://downloads.asterisk.org/pub/security/AST-2013-004.html
 - http://downloads.asterisk.org/pub/security/AST-2013-005.html
ID: MGASA-2013-0266
1	type: security
2	subject: Updated asterisk package fixes security vulnerabilities
3	CVE:
4	- CVE-2013-5641
5	- CVE-2013-5642
6	src:
7	3:
8	core:
9	- asterisk-11.5.1-1.mga3
10	description: \|
11	A remotely exploitable crash vulnerability exists in the SIP channel
12	driver if an ACK with SDP is received after the channel has been
13	terminated. The handling code incorrectly assumes that the channel
14	will always be present (CVE-2013-5641).
15
16	A remotely exploitable crash vulnerability exists in the SIP channel
17	driver if an invalid SDP is sent in a SIP request that defines media
18	descriptions before connection information. The handling code
19	incorrectly attempts to reference the socket address information even
20	though that information has not yet been set (CVE-2013-5642).
21	references:
22	- https://bugs.mageia.org/show_bug.cgi?id=11094
23	- http://downloads.asterisk.org/pub/security/AST-2013-004.html
24	- http://downloads.asterisk.org/pub/security/AST-2013-005.html
25	ID: MGASA-2013-0266