Summary: | <net-misc/asterisk-{1.8.25.0,11.7.0} : Security Bypass and Memory Corruption Vulnerabilities (CVE-2013-7100) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | chainsaw |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/55907/ | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-12-18 10:09:06 UTC
+*asterisk-11.7.0 (18 Dec 2013) +*asterisk-1.8.25.0 (18 Dec 2013) + + 18 Dec 2013; Tony Vroon <chainsaw@gentoo.org> +asterisk-1.8.25.0.ebuild, + +asterisk-11.7.0.ebuild: + Upgrades on both branches for memory corruption (AST-2013-006) & security + bypass (AST-2013-007) vulnerabilities, as per Agostino Sarubbo in security + bug #494630. Squelch unnecessary chatter from build system, as per Patryk + Rzadzinski in bug #489862. Arches, please test & mark stable: =net-misc/asterisk-1.8.25.0 =net-misc/asterisk-11.7.0 Due to the need for specialty hardware and/or paid accounts, three stop-start cycles on the default (USE=samples) configuration files will suffice. Could the last arch to stabilise please remove all previous Asterisk ebuilds from the tree. Security team, please check that this has been done. amd64 stable x86 stable. Maintainer(s), please cleanup + 23 Dec 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.23.1.ebuild, + -asterisk-1.8.24.0.ebuild, -asterisk-11.5.1.ebuild, -asterisk-11.6.0.ebuild, + -asterisk-11.6.0-r1.ebuild: + Remove all vulnerable ebuilds for AST-2013-006 & AST-2013-007; for security + bug #494630. Maintainer(s), Thank you for your work! Added to existing GLSA CVE-2013-7100 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7100): Buffer overflow in the unpacksms16 function in apps/app_sms.c in Asterisk Open Source 1.8.x before 1.8.24.1, 10.x before 10.12.4, and 11.x before 11.6.1; Asterisk with Digiumphones 10.x-digiumphones before 10.12.4-digiumphones; and Certified Asterisk 1.8.x before 1.8.15-cert4 and 11.x before 11.2-cert3 allows remote attackers to cause a denial of service (daemon crash) via a 16-bit SMS message. This issue was resolved and addressed in GLSA 201401-15 at http://security.gentoo.org/glsa/glsa-201401-15.xml by GLSA coordinator Sergey Popov (pinkbyte). |