[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 455-1] asterisk security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : asterisk
Version        : 1:1.8.13.1~dfsg1-3+deb7u4
CVE ID         : CVE-2014-2286 CVE-2014-4046 CVE-2014-6610 CVE-2014-8412
                 CVE-2014-8418 CVE-2015-3008
Debian Bug     : 741313 762164 771463 782411


CVE-2014-6610
     Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1
     and Certified Asterisk 11.6 before 11.6-cert6, when using the
     res_fax_spandsp module, allows remote authenticated users to
     cause a denial of service (crash) via an out of call message,
     which is not properly handled in the ReceiveFax dialplan
     application.

CVE-2014-4046
     Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1
     and Certified Asterisk 11.6 before 11.6-cert3 allows remote
     authenticated Manager users to execute arbitrary shell commands
     via a MixMonitor action.

CVE-2014-2286
     main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x
     before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk
     1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote
     attackers to cause a denial of service (stack consumption) and
     possibly execute arbitrary code via an HTTP request with a large
     number of Cookie headers.

CVE-2014-8412
     The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager
     Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1,
     11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1
     and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before
     11.6-cert8 allows remote attackers to bypass the ACL restrictions
     via a packet with a source IP that does not share the address family
     as the first ACL entry.

CVE-2014-8418
     The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32,
     11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and
     Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8
     allows remote authenticated users to gain privileges via a call from
     an external protocol, as demonstrated by the AMI protocol.

CVE-2015-3008
     Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x
     before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28
     before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before
     13.1-cert2, when registering a SIP TLS device, does not properly
     handle a null byte in a domain name in the subject's Common Name (CN)
     field of an X.509 certificate, which allows man-in-the-middle attackers
     to spoof arbitrary SSL servers via a crafted certificate issued by a
     legitimate Certification Authority.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJXKQqWXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHW2sP/A9EmShDJ8KbsbM/h8Z2kzpC
RBoSnGmFE75C64WhD4gvEWO8sy158gFw4P79qvSgPbAxTjjFDx7o+UIIGBN8z41d
ub1cfRkaFyLhud0iZKDUFCx0VPOoYAZEzSVYZZKZaF43kaTJXcHAarhrkeKVVYoa
1kPXwvQP/yPrpys6EilcZ+LvoXm3gGz8i1+szmVEv2QBqFpnoVeJmmAp3jK6E7H4
0hHGlxsByvrj2k1Ms6SS5SDMisYr6PnZoJIAra3FAIoVayBlVrkTGGPK/Qi87W83
lCB91N5bxruK5/nWVD8qmJY+cUZJ+lbzu8hJk35ZZyqwWmME2qn+Erg/o8BRP83d
b+a1aYXPrH3VjKLT2LfRC7QXN3odGf7mRbV27wwM+ewT/ROz/lhCzlGSsB3W7z5h
KPvd63BcW2amZk2S53+0Lt7OCcmqrEKcoeYgd+7nYggJR0qFLIES+s5eZzxRkDrW
GjUx70uIuj3yuJYCb1FRKfspM2KJrFso7qYgswfZhDtC3+oX6pL7Dnt2pw75MfTF
fK//lC6qVF7KtpxyoCOCfkh+mOHVBsRFfEHNeEPCGfJXqjxh2W+pPzpIjmh4OY5B
oXa9rUg83/t5/aeAqciIaXk79Bbrn7PV6fRYJQ7HrODfz0nDTlejg+5GXXX6ctm1
sbt+0FBgqD3KlhSUO5Al
=u17W
-----END PGP SIGNATURE-----


Reply to: