Jan Juergens discovered a buffer overflow in the parser for SMS messages in Asterisk. An additional change was backported, which is fully described in http://downloads.asterisk.org/pub/security/AST-2013-007.htmlWith the fix for AST-2013-007, a new configuration option was added in order to allow the system adminitrator to disable the expansion of dangerous functions (such as SHELL()) from any interface which is not the dialplan. In stable and oldstable this option is disabled by default. To enable it add the following line to the section '[options]' in /etc/asterisk/asterisk.conf (and restart asterisk) live_dangerously = no

For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze12. For the stable distribution (wheezy), this problem has been fixed in version 1:1.8.13.1~dfsg1-3+deb7u3. For the testing distribution (jessie), this problem has been fixed in version 1:11.7.0~dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1:11.7.0~dfsg-1. We recommend that you upgrade your asterisk packages.

Asterisk is an Open Source PBX and telephony toolkit. It is, in a sense, middleware between Internet and telephony channels on the bottom, and Internet and telephony applications at the top.

asterisk on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-2835.html

---

Updated on 2015-03-25