=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN466
_____________________________________________________________________

DATE                      : 30/11/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Asterisk.

======================================================================
http://www.asterisk.org/node/48429
http://downloads.digium.com/pub/asa/AST-2007-025.pdf
http://downloads.digium.com/pub/asa/AST-2007-026.pdf
______________________________________________________________________

Asterisk 1.4.15 and 1.2.25 Released
Submitted by asteriskteam on 29 November 2007 - 10:09pm.

The Asterisk.org development team has released Asterisk versions 1.4.15 
and 1.2.25. These releases contain two fixes for security issues.

http://downloads.digium.com/pub/asa/AST-2007-025.pdf
* This is a SQL injection vulnerability in the res_config_pgsql module. 
Default installations of Asterisk are not affected. However, any system 
using the Postgres Realtime Engine may be remotely exploitable. This 
issue only affects Asterisk 1.4, as this module was not in Asterisk 1.2.

http://downloads.digium.com/pub/asa/AST-2007-026.pdf
* This is another SQL injection vulnerability. The input for the ANI and 
DNIS fields were not properly escaped. Default installations of Asterisk 
are not vulnerable. However, systems that use the Postgres CDR logging 
module may be remotely exploitable. This issue affects both Asterisk 1.2 
and 1.4.

Both releases are available on http://downloads.digium.com.

Thank you very much for your support!



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================