http://downloads.asterisk.org/pub/security/AST-2014-012.html http://downloads.asterisk.org/pub/security/AST-2014-013.html http://downloads.asterisk.org/pub/security/AST-2014-014.html http://downloads.asterisk.org/pub/security/AST-2014-015.html http://downloads.asterisk.org/pub/security/AST-2014-016.html http://downloads.asterisk.org/pub/security/AST-2014-017.html http://downloads.asterisk.org/pub/security/AST-2014-018.html
+*asterisk-12.7.1 (24 Nov 2014) +*asterisk-11.14.1 (24 Nov 2014) + + 24 Nov 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.14.0.ebuild, + +asterisk-11.14.1.ebuild, -asterisk-12.6.1.ebuild, -asterisk-12.7.0.ebuild, + +asterisk-12.7.1.ebuild: + 11 branch susceptible to AST-2014-012, AST-2014-014, AST-2014-017 & + AST-2014-018. 12 branch susceptible to AST-2014-012, AST-2014-013, + AST-2014-015, AST-2014-016, AST-2014-017 & AST-2014-018. Vulnerable + non-stable ebuilds removed. For security bug #530056. Arches, please test & mark stable: =net-misc/asterisk-11.14.1 Target stable keywords: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
+ 24 Nov 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.13.1.ebuild: + Remove vulnerable ebuilds now that stabilisation is complete. For security + bug #530056.
CVE-2014-8418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8418): The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol. CVE-2014-8417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8417): ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote authenticated users to (1) gain privileges via vectors related to an external protocol to the CONFBRIDGE dialplan function or (2) execute arbitrary system commands via a crafted ConfbridgeStartRecord AMI action. CVE-2014-8414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8414): ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11.6-cert8 does not properly handle state changes, which allows remote attackers to cause a denial of service (channel hang and memory consumption) by causing transitions to be delayed, which triggers a state change from hung up to waiting for media. CVE-2014-8412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8412): The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry.
Added to existing GLSA draft along with bug 532242
This issue was resolved and addressed in GLSA 201412-51 at http://security.gentoo.org/glsa/glsa-201412-51.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
