Ventrilo: Denial of Service — GLSA 200904-13

A vulnerability has been discovered in Ventrilo, allowing for a Denial of Service.

Affected Packages

media-sound/ventrilo-server-bin on all architectures
Affected versions < 3.0.3
Unaffected versions >= 3.0.3

Background

Ventrilo is a Voice over IP group communication server.

Description

Luigi Auriemma reported a NULL pointer dereference in Ventrilo when processing packets with an invalid version number followed by another packet.

Impact

A remote attacker could send specially crafted packets to the server, resulting in a crash.

Workaround

There is no known workaround at this time.

Resolution

All Ventrilo users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-sound/ventrilo-server-bin-3.0.3"

References

Release Date
April 14, 2009

Latest Revision
April 14, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries