573924 – (AST-2016-001) <net-misc/asterisk-11.21.1: Susceptible to BEAST attack in TLS implementation (AST-2016-001)

Bug 573924 (AST-2016-001) - <net-misc/asterisk-11.21.1: Susceptible to BEAST attack in TLS implementation (AST-2016-001)

Summary: <net-misc/asterisk-11.21.1: Susceptible to BEAST attack in TLS implementation...

Status:	RESOLVED FIXED

Alias:	AST-2016-001

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://downloads.asterisk.org/pub/sec...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-02-05 13:31 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2016-05-30 07:03 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-05 13:31:07 UTC

CVE Name
	

Pending



Description
	

The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it.


Resolution
	

Additional configuration options have been added to Asterisk which allow configuration of the HTTP server to not be susceptible to the BEAST vulnerability. These include options to confirm the permitted ciphers, to control what TLS protocols are allowed, and to use server cipher preference order instead of client preference order. The default configuration has also been changed for the HTTP server to use a configuration which is not susceptible to the BEAST vulnerability.

Comment 1 Tony Vroon (RETIRED) gentoo-dev

2016-02-05 13:33:13 UTC

Arches, please test & mark stable:
=net-misc/asterisk-11.21.1

Target keywords: AMD64 X86

Test plan:
1) emerge asterisk with USE=samples
2) /etc/init.d/asterisk start
3) wait 6 seconds
4) /etc/init.d/asterisk stop
5) wait 6 seconds
6) repeat from step 2 for 4 iterations

Comment 2 Agostino Sarubbo gentoo-dev

2016-02-05 15:03:55 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2016-02-05 15:04:21 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 4 Tony Vroon (RETIRED) gentoo-dev

2016-02-05 15:09:40 UTC

Vulnerable ebuild removed.

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-05 16:10:47 UTC

GLSA Vote: No