“Remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present.”
This issue affected versions 1.8.x (18.104.22.168 and above) and all 11.x versions.
“Remotely exploitable crash vulnerability exists in the SIP channel driver if an invalid SDP is sent in a SIP request that defines media descriptions before connection information. The handling code incorrectly attempts to reference the socket address information even though that information has not yet been set.”
This issue affected all versions of 1.8.x, 10.x, and 11.x.
Access Asterisk Project Security Advisories here – http://downloads.asterisk.org/pub/security/AST-2013-004.html http://downloads.asterisk.org/pub/security/AST-2013-005.html