|Description||The IAX2 channel driver (chan_iax2) in Asterisk before 20070504 does not properly null terminate data, which allows remote attackers to trigger loss of transmitted data, and possibly obtain sensitive information (memory contents) or cause a denial of service (application crash), by sending a frame that lacks a 0 byte.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||high (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|asterisk (PTS)||jessie (security), jessie||1:11.13.1~dfsg-2+deb8u5||fixed|
|stretch (security), stretch||1:13.14.1~dfsg-2+deb9u3||fixed|
The information below is based on the following data on fixed versions.
no-dsa / unimportant candidate, the opposite side of the telephone line
could just as well hang-up