Debian DSA-2835-1 : asterisk - buffer overflow

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.

Synopsis :

The remote Debian host is missing a security-related update.

Description :

Jan Juergens discovered a buffer overflow in the parser for SMS
messages in Asterisk.

An additional change was backported, which is fully described in

With the fix for AST-2013-007, a new configuration option was added in
order to allow the system administrator to disable the expansion
of'dangerous' functions (such as SHELL()) from any interface which is
not the dialplan. In stable and oldstable this option is disabled by
default. To enable it add the following line to the section
'[options]' in /etc/asterisk/asterisk.conf (and restart asterisk)

live_dangerously = no

See also :

Solution :

Upgrade the asterisk packages.

For the oldstable distribution (squeeze), this problem has been fixed
in version 1:

For the stable distribution (wheezy), this problem has been fixed in
version 1:

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : false

Family: Debian Local Security Checks

Nessus Plugin ID: 71848 ()

Bugtraq ID: 64364

CVE ID: CVE-2013-7100

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now