CVE-2009-0871

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.4.22 through 1.4.23.1 Asterisk Open Source versions 1.6.0 through 1.6.0.5 Asterisk Open Source version 1.6.1 before 1.6.1.0-rc2 Asterisk Business Edition version C.2.3

Description The issue allows remote authenticated users to cause a denial of service via a SIP INVITE request without any headers. This triggers a NULL pointer dereference in the (1) sip uri headers cmp and (2) sip uri params cmp functions when the pedantic option is enabled.

Recommendations For Asterisk Open Source versions 1.4.22 through 1.4.23.1, update to a version outside of this range to resolve the issue. For Asterisk Open Source versions 1.6.0 through 1.6.0.5, update to version 1.6.0.6 or later. For Asterisk Open Source version 1.6.1 before 1.6.1.0-rc2, update to version 1.6.1.0-rc2 or later. For Asterisk Business Edition version C.2.3, consider disabling the pedantic option as a temporary workaround until a patch is available.