[SECURITY] [DLA 781-1] asterisk security update

Package : asterisk
Version : 1:1.8.13.1~dfsg1-3+deb7u5
CVE ID : CVE-2014-2287 CVE-2016-7551
Debian Bug : 838832 741313

Two security vulnerabilities were discovered in Asterisk, an Open
Source PBX and telephony toolkit.

CVE-2014-2287

channels/chan_sip.c in Asterisk when chan_sip has a certain
configuration, allows remote authenticated users to cause a denial
of service (channel and file descriptor consumption) via an INVITE
request with a (1) Session-Expires or (2) Min-SE header with a
malformed or invalid value.

CVE-2016-7551

The overlap dialing feature in chan_sip allows chan_sip to report
to a device that the number that has been dialed is incomplete and
more digits are required. If this functionality is used with a
device that has performed username/password authentication RTP
resources are leaked. This occurs because the code fails to release
the old RTP resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will occur and
no RTP sessions are able to be set up.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.8.13.1~dfsg1-3+deb7u5.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS