Debian 10261 Published by

Two new security updates are available for Debian: [SECURITY] [DSA 2277-1] xml-security-c security update and [SECURITY] [DSA 2276-1] asterisk security update



[SECURITY] [DSA 2277-1] xml-security-c security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2277-1 security@debian.org
http://www.debian.org/security/ Nico Golde
July 10, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xml-security-c
Vulnerability : stack-based buffer overflow
Problem type : local/remote
Debian-specific: no
CVE ID : CVE-2011-2516
Debian bug : 632973

It has been discovered that xml-security-c, an implementation of the XML
Digital Signature and Encryption specifications, is not properly handling
RSA keys of sizes on the order of 8192 or more bits. This allows an
attacker to crash applications using this functionality or potentially
execute arbitrary code by tricking an application into verifying a signature
created with a sufficiently long RSA key.


For the oldstable distribution (lenny), this problem has been fixed in
version 1.4.0-3+lenny3.

For the stable distribution (squeeze), this problem has been fixed in
version 1.5.1-3+squeeze1.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.1-1.

We recommend that you upgrade your xml-security-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[SECURITY] [DSA 2276-1] asterisk security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2276-1 security@debian.org
http://www.debian.org/security/ Luciano Bello
July 10, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : asterisk
Vulnerability : multiple denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-2529 CVE-2011-2535
Debian Bug : 631445 631446 631448

Paul Belanger reported a vulnerability in Asterisk identified as AST-2011-008
(CVE-2011-2529) through which an unauthenticated attacker may crash an Asterisk
server remotely. A package containing a null char causes the SIP header parser
to alter unrelated memory structures.

Jared Mauch reported a vulnerability in Asterisk identified as AST-2011-009
through which an unauthenticated attacker may crash an Asterisk server remotely.
If a user sends a package with a Contact header with a missing left angle
bracket