CVE Name Pending Description The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it. Resolution Additional configuration options have been added to Asterisk which allow configuration of the HTTP server to not be susceptible to the BEAST vulnerability. These include options to confirm the permitted ciphers, to control what TLS protocols are allowed, and to use server cipher preference order instead of client preference order. The default configuration has also been changed for the HTTP server to use a configuration which is not susceptible to the BEAST vulnerability.
Arches, please test & mark stable: =net-misc/asterisk-11.21.1 Target keywords: AMD64 X86 Test plan: 1) emerge asterisk with USE=samples 2) /etc/init.d/asterisk start 3) wait 6 seconds 4) /etc/init.d/asterisk stop 5) wait 6 seconds 6) repeat from step 2 for 4 iterations
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Vulnerable ebuild removed.
GLSA Vote: No