Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 284892 - <net-misc/asterisk-{1.2.36, 1.6.1.9} Multiple vulnerabilities (CVE-2008-7220,CVE-2009-3727)
Summary: <net-misc/asterisk-{1.2.36, 1.6.1.9} Multiple vulnerabilities (CVE-2008-7220,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.asterisk.org/node/49859
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks: CVE-2008-7220
  Show dependency tree
 
Reported: 2009-09-14 10:26 UTC by Alex Legler (RETIRED)
Modified: 2013-07-08 23:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-14 10:26:59 UTC
+++ This bug was initially created as a clone of Bug #284874 +++

CVE-2008-7220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7220):
  Unspecified vulnerability in Prototype JavaScript framework
  (prototypejs) before 1.6.0.2 allows attackers to make "cross-site
  ajax requests" via unknown vectors.

Asterisk 1.6.1.6 ships prototype 1.4.0 in static-http/prototype.js
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-04 20:46:19 UTC
AST-2009-008 (http://downloads.asterisk.org/pub/security/AST-2009-008.html):
It is possible to determine if a peer with a specific name is configured in Asterisk by sending a specially crafted REGISTER message twice. The username that is to be checked is put in the user portion of the URI in the To header. A bogus non-matching value is put into the username portion of the Digest in the Authorization header. If the peer does exist the second REGISTER will receive a response of “403 Authentication user name does not match account name”. If the peer does not exist the response will be “404 Not Found” if alwaysauthreject is disabled and “401 Unauthorized” if alwaysauthreject is enabled.

AST-2009-009 (http://downloads.asterisk.org/pub/security/AST-2009-009.html):
Asterisk includes a demonstration AJAX based manager interface, ajamdemo.html which uses the prototype.js framework. An issue was uncovered in this framework which could allow someone to execute a cross-site AJAX request exploit.

voip: Please bump.
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2009-11-04 23:09:23 UTC
+*asterisk-1.6.1.9 (04 Nov 2009)
+*asterisk-1.2.36 (04 Nov 2009)
+
+  04 Nov 2009; <chainsaw@gentoo.org> -asterisk-1.2.35-r1.ebuild,
+  +asterisk-1.2.36.ebuild, -asterisk-1.6.1.8.ebuild,
+  -asterisk-1.6.1.8-r1.ebuild, +asterisk-1.6.1.9.ebuild:
+  Version bumps as requested by Alex "a3li" Legler in security bug #284892,
+  drop any non-stable vulnerable ebuild. Upstream advisory AST-2009-008.

Arch teams, please stable net-misc/asterisk-1.2.36
Target keywords: alpha amd64 ppc sparc x86

Recommend compile test & attempt to run (default configuration should allow the daemon to start and stop with green OK from /etc/init.d/asterisk).
Comment 3 Tony Vroon (RETIRED) gentoo-dev 2009-11-05 16:17:58 UTC
+  05 Nov 2009; <chainsaw@gentoo.org> asterisk-1.2.36.ebuild:
+  Marked stable on AMD64 for security bug #284892, based on compilation &
+  start/stop init.d test on default configuration.
Comment 4 Markus Meier gentoo-dev 2009-11-05 20:11:09 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2009-11-07 20:49:23 UTC
Stable on alpha.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-13 23:36:43 UTC
CVE-2009-3727 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3727):
  Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3,
  1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition
  A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x
  before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5
  generate different error messages depending on whether a SIP username
  is valid, allows remote attackers to enumerate valid usernames via
  multiple crafted REGISTER messages with inconsistent usernames in the
  URI in the To header and the Digest in the Authorization header.

Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-11-14 15:03:54 UTC
sparc stable
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2009-12-27 09:41:45 UTC
Marked ppc stable.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:18:18 UTC
GLSA 201006-20