DoS Vulnerability in Asterisk
The makers of Asterisk, the Open Source phone system, have removed a bug that allowed denial of service attacks under certain circumstances.
The vulnerability affected the SIP channel driver, more specifically the "BYE with Also" transfer method. A faulty null-pointer dereference could be exploited to crash the application using a carefully crafted BYE message. The attack needed an existing connection.
All 1.4.x versions of Asterisk Open Source, all C.x.x versions of the Business Edition, the pre-release versions of AsteriskNOW, the Asterisk Appliance Developer Kit prior to version 1.4 revision 95946 and the Asterisk Appliance s800i up to version 1.0.3.4 are all affected by the bug.
Updates are available from the website for the Open Source applications. Updates for commercial versions will be provided via standard support channels.