Summary: | net-misc/asterisk: remote host access control bypass (CVE-2010-1224) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chainsaw, voip+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-04-06 03:59:46 UTC
+ 06 Apr 2010; <chainsaw@gentoo.org> -asterisk-1.6.1.17.ebuild, + -asterisk-1.6.2.5.ebuild: + Removing vulnerable ebuilds for CVE-2010-1224 / AST-2010-003 (Remote host + access control bypass) as requested by Stefan "Craig" Behte + <craig@gentoo.org> in security bug #313341. Voting no for GLSA; stable Asterisk (1.2 branch) is not affected. No upgrades will have to be forced as the secure versions have been in the tree since March 15 (1.6.2) / March 16 (1.6.1) No, too. We never had 1.6.x stable, closing NOGLSA. CVE-2010-1224 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1224): main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host access controls when CIDR notation "/0" is used in permit= and deny= configuration rules, which causes an improper arithmetic shift and might allow remote attackers to bypass ACL rules and access services from unauthorized hosts. |