BugTraq
[ MDVSA-2014:078 ] asterisk Apr 16 2014 02:29PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:078
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : asterisk
Date : January 16, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in asterisk:

Sending a HTTP request that is handled by Asterisk with a large number
of Cookie headers could overflow the stack. You could even exhaust
memory if you sent an unlimited number of headers in the request
(CVE-2014-2286).

An attacker can use all available file descriptors using SIP INVITE
requests. Asterisk will respond with code 400, 420, or 422 for INVITEs
meeting this criteria. Each INVITE meeting these conditions will leak
a channel and several file descriptors. The file descriptors cannot
be released without restarting Asterisk which may allow intrusion
detection systems to be bypassed by sending the requests slowly
(CVE-2014-2287).

The updated packages has been upgraded to the 11.8.1 version which
is not vulnerable to these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2287
http://downloads.asterisk.org/pub/security/AST-2014-001.html
http://downloads.asterisk.org/pub/security/AST-2014-002.html
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.8.1-sum
mary.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
874dc48147428760673777cf9f0883c1 mbs1/x86_64/asterisk-11.8.1-1.1.mbs1.x86_64.rpm
754c24b57a249f5a811de9ea42491b54 mbs1/x86_64/asterisk-addons-11.8.1-1.1.mbs1.x86_64.rpm
e3f76b59108f69d490ad15b0714d0199 mbs1/x86_64/asterisk-devel-11.8.1-1.1.mbs1.x86_64.rpm
f74de033fc0f8253c1d9b8a2789fb527 mbs1/x86_64/asterisk-firmware-11.8.1-1.1.mbs1.x86_64.rpm
55129ac6c361daaef8da67ba7be0459c mbs1/x86_64/asterisk-gui-11.8.1-1.1.mbs1.x86_64.rpm
14d0511440107e30ae336ecdca0be59b mbs1/x86_64/asterisk-plugins-alsa-11.8.1-1.1.mbs1.x86_64.rpm
41e1faffe1723876b0c923e2fe6edd33 mbs1/x86_64/asterisk-plugins-calendar-11.8.1-1.1.mbs1.x86_64.rpm
bf12035dfc03a04491da69c75b60cd12 mbs1/x86_64/asterisk-plugins-cel-11.8.1-1.1.mbs1.x86_64.rpm
95d8343789fecaffbe7c0e48f7f7dd52 mbs1/x86_64/asterisk-plugins-corosync-11.8.1-1.1.mbs1.x86_64.rpm
b2abd8598301c972c87d43f231a3f38b mbs1/x86_64/asterisk-plugins-curl-11.8.1-1.1.mbs1.x86_64.rpm
283283874e245047cfdbc1942641f6d7 mbs1/x86_64/asterisk-plugins-dahdi-11.8.1-1.1.mbs1.x86_64.rpm
def694a9a67a6941eb8000309a3d8714 mbs1/x86_64/asterisk-plugins-fax-11.8.1-1.1.mbs1.x86_64.rpm
9873bafb3e6b6ac8f120681f613f3cc3 mbs1/x86_64/asterisk-plugins-festival-11.8.1-1.1.mbs1.x86_64.rpm
15179ea325b192805303066fe871036e mbs1/x86_64/asterisk-plugins-ices-11.8.1-1.1.mbs1.x86_64.rpm
ba2c090fba82b88b1ca4df296bd2481b mbs1/x86_64/asterisk-plugins-jabber-11.8.1-1.1.mbs1.x86_64.rpm
7cc400611598886a409fb8c88ef2c1a8 mbs1/x86_64/asterisk-plugins-jack-11.8.1-1.1.mbs1.x86_64.rpm
c2154c8cc9dc2e97fe72b6813db49f6f mbs1/x86_64/asterisk-plugins-ldap-11.8.1-1.1.mbs1.x86_64.rpm
9d236fe1a49ce75c2e24e45a4909fb37 mbs1/x86_64/asterisk-plugins-lua-11.8.1-1.1.mbs1.x86_64.rpm
c77efd21f409fdccdac885250401bf5b mbs1/x86_64/asterisk-plugins-minivm-11.8.1-1.1.mbs1.x86_64.rpm
854026c676dc1b1d7ef5a9a893be9577 mbs1/x86_64/asterisk-plugins-mobile-11.8.1-1.1.mbs1.x86_64.rpm
94ea8dfd0ec5c49934f9b41a05555e9e mbs1/x86_64/asterisk-plugins-mp3-11.8.1-1.1.mbs1.x86_64.rpm
c1fabd448cd867adee2ca3a76dde6bfb mbs1/x86_64/asterisk-plugins-mysql-11.8.1-1.1.mbs1.x86_64.rpm
16fdb65e155295275c8030d5a49cf405 mbs1/x86_64/asterisk-plugins-ooh323-11.8.1-1.1.mbs1.x86_64.rpm
04ceda6e0f9e2cc6667ad1da79b293c4 mbs1/x86_64/asterisk-plugins-osp-11.8.1-1.1.mbs1.x86_64.rpm
7d6cabe58838c7fc78591e4be9e56f2a mbs1/x86_64/asterisk-plugins-oss-11.8.1-1.1.mbs1.x86_64.rpm
c1e60796fb9c8f7f586a6442efd8451a mbs1/x86_64/asterisk-plugins-pgsql-11.8.1-1.1.mbs1.x86_64.rpm
c906a6deb3b0a7175170c623857400a6 mbs1/x86_64/asterisk-plugins-pktccops-11.8.1-1.1.mbs1.x86_64.rpm
9755b277eaea6189fc748f476fb3b7b7 mbs1/x86_64/asterisk-plugins-portaudio-11.8.1-1.1.mbs1.x86_64.rpm
10dc20a29f0e93c535bd6ae2f5d7bd3f mbs1/x86_64/asterisk-plugins-radius-11.8.1-1.1.mbs1.x86_64.rpm
ce94490f0722222165f39dd080983906 mbs1/x86_64/asterisk-plugins-saycountpl-11.8.1-1.1.mbs1.x86_64.rpm
aede3e915a106ed25e7a34130d8661d8 mbs1/x86_64/asterisk-plugins-skinny-11.8.1-1.1.mbs1.x86_64.rpm
a5a9bf5903f40542a71bd9ea7dde8590 mbs1/x86_64/asterisk-plugins-snmp-11.8.1-1.1.mbs1.x86_64.rpm
bfa50fb63a88f8f86d5aefdedc683c10 mbs1/x86_64/asterisk-plugins-speex-11.8.1-1.1.mbs1.x86_64.rpm
af665709f0f799289a8f4dcc3b7d2e3a mbs1/x86_64/asterisk-plugins-sqlite-11.8.1-1.1.mbs1.x86_64.rpm
62488f0a52ab46c03d6afb3028085c04 mbs1/x86_64/asterisk-plugins-tds-11.8.1-1.1.mbs1.x86_64.rpm
deb26eb56468a4a6563c6356820cd908 mbs1/x86_64/asterisk-plugins-unistim-11.8.1-1.1.mbs1.x86_64.rpm
37f8d70a41006d36e4d7b4fdf818284d mbs1/x86_64/asterisk-plugins-voicemail-11.8.1-1.1.mbs1.x86_64.rpm
279a002fa68d85b4c6dd511a613cd7ef mbs1/x86_64/asterisk-plugins-voicemail-imap-11.8.1-1.1.mbs1.x86_64.rpm
8a60a940674e0d44812e68957ed28e24 mbs1/x86_64/asterisk-plugins-voicemail-plain-11.8.1-1.1.mbs1.x86_64.rpm
f276cf7f4755f67438e42b1990eb9ad1 mbs1/x86_64/lib64asteriskssl1-11.8.1-1.1.mbs1.x86_64.rpm
bff672404f7226e39771ea197ae43111 mbs1/SRPMS/asterisk-11.8.1-1.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD4DBQFTTmmZmqjQ0CJFipgRAgZhAJiZvnPkmS1CodQe2SU6N9KH7gqrAKDexk/g
PoAfzdBLpkgcjjZNAgjVGA==
=81VZ
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus