Debians sikkerhedsbulletin

DSA-1525-1 asterisk -- flere sårbarheder

Rapporteret den:

20. mar 2008

Berørte pakker:

asterisk

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2007-6430, CVE-2008-1332, CVE-2008-1333.

Yderligere oplysninger:

Flere fjernudnytbare sårbarheder er opdaget i Asterisk, et fri software PBX og telefonitoolkit. Projektet Common Vulnerabilities and Exposures har fundet frem til følgene problemer:

CVE-2007-6430
Tilghman Lesher opdagede at databasebaserede registreringer blev valideret på utilstrækkelig vis. Dette påvirker kun konfigurationer, der er opsat til at køre uden en adgangskode og kun værtsbaseret autentificering.
CVE-2008-1332
Jason Parker opdagede at utilstrækkelig validering af From:-headere i SIP-kanaldriveren kunne føre til autentificeringsomgåelse og potentiel ekstern initiering af opkald.
CVE-2008-1333
Denne opdatering retter også en formatstrengssårbarhed, der kun kan udløses gennem opsætningsfiler under kontrol af den lokal administrator. I senere udgaver af Asterisk er dette problem fjernudnytbart og spores som CVE-2008-1333.

Hvorvidt den gamle stabile distribution (sarge) er påvirket, er pt. ved at blive undersøgt. Hvis den er påvirket, vil en opdatering blive udgiven gennem security.debian.org.

I den stabile distribution (etch), er disse problemer rettet i version 1:1.2.13~dfsg-2etch3.

Vi anbefaler at du opgraderer dine asterisk-pakker.

Rettet i:

Debian GNU/Linux 4.0 (stable)

Kildekode:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch3.diff.gz; http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg.orig.tar.gz; http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch3.dsc
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.2.13~dfsg-2etch3_all.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.2.13~dfsg-2etch3_all.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.2.13~dfsg-2etch3_all.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-web-vmail_1.2.13~dfsg-2etch3_all.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.2.13~dfsg-2etch3_all.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.2.13~dfsg-2etch3_all.deb
Alpha:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_alpha.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_alpha.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_amd64.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_amd64.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_arm.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_arm.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_hppa.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_hppa.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_i386.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_i386.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_ia64.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_ia64.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_mips.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_mips.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_mipsel.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_mipsel.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_powerpc.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_powerpc.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/a/asterisk/asterisk-classic_1.2.13~dfsg-2etch3_s390.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-bristuff_1.2.13~dfsg-2etch3_s390.deb; http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.2.13~dfsg-2etch3_s390.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.