First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 250748
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Bruno Buss <bruno.buss@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 250748 depends on: 249573 Show dependency tree
Bug 250748 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-12-12 19:33 0000 
Description:
"There is a possibility to remotely crash an Asterisk server if the server is
configured to use realtime IAX2 users. The issue occurs if either an unknown
user attempts to authenticate or if a user that uses hostname matching attempts
to authenticate.

The problem was due to a broken function call to Asterisk's realtime
configuration API."

Also from Secunia:
http://secunia.com/Advisories/32956/

Just 1.2.27 in portage tree is affected.

------- Comment #1 From Steven Susbauer 2008-12-18 01:07:13 0000 ------- 
CVE-2008-5558

Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition
B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows
remote attackers to cause a denial of service (crash) via
authentication attempts involving (1) an unknown user or (2) a user
using hostname matching.

------- Comment #2 From Robert Buchholz 2008-12-18 16:34:43 0000 ------- 
CVE-2008-5558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5558):
  Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition
  B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows
  remote attackers to cause a denial of service (crash) via
  authentication attempts involving (1) an unknown user or (2) a user
  using hostname matching.

------- Comment #3 From Bruno Buss 2009-01-08 13:00:35 0000 ------- 
Ping. Delay for B3 is 20 days...

------- Comment #4 From Tony Vroon 2009-03-11 17:48:24 0000 ------- 
+*asterisk-1.2.31.1 (11 Mar 2009)
+
+  11 Mar 2009; <chainsaw@gentoo.org>
+  +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff,
+  +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff,
+  +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild:
+  Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix
+  that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in
+  open call, a comma is not a pipe sign. Used EAPI 2 for USE-based
+  dependencies instead of calling die. Patch from Mounir Lamouri adding
+  -lspeexdsp closes bug #206463 filed by John Read.

------- Comment #5 From Tony Vroon 2009-03-12 15:17:00 0000 ------- 
Arches, please test and mark stable 1.2.31.1 in the tree. Target keywords:
~alpha amd64 ~hppa ~ppc sparc x86

Alpha, PowerPC, please feel free to mark stable even though you're not stable
right now. This is the last ever release in the 1.2 branch and we'll redo
keywording from scratch for the 1.6 branch.
This has been tested on a production network for AMD64 using Cisco 7960 phones
(SIP firmware) and 2 Patton gateways both connected to 2 ISDN BRI lines from
British Telecom.

------- Comment #6 From Tony Vroon 2009-03-12 15:19:50 0000 ------- 
Arch teams, for your echangelog entries, said keywording will also address
security bug #254304
If you do not have hardware your usual compilation and QA tests will suffice.

------- Comment #7 From Ferris McCormick 2009-03-12 17:03:36 0000 ------- 
Sparc stable.

------- Comment #8 From Tobias Klausmann 2009-03-12 19:38:03 0000 ------- 
Stable on alpha, including the requisite net-libs/openh323.

------- Comment #9 From Markus Meier 2009-03-15 15:12:40 0000 ------- 
amd64/x86 stable

------- Comment #10 From Brent Baude 2009-03-19 13:07:47 0000 ------- 
ppc done

------- Comment #11 From Jeroen Roovers 2009-03-23 05:24:59 0000 ------- 
HPPA isn't stable, and won't do now:

>>> Compiling source in /dev/shm/portage/net-misc/asterisk-1.2.31.1/work/asteris
k-1.2.31.1 ...
 * Building Asterisk...
make: *** No rule to make target `hppa2.0-unknown-linux-gnu-gcc'.  Stop.
 *
 * ERROR: net-misc/asterisk-1.2.31.1 failed.

------- Comment #12 From Tony Vroon 2009-03-23 15:58:26 0000 ------- 
+  23 Mar 2009; <chainsaw@gentoo.org> -asterisk-1.2.27.ebuild:
+  Remove vulnerable 1.2.27 version now that arch keywording is complete. For
+  security bugs #250748 & #254304.

------- Comment #13 From Robert Buchholz 2009-05-02 17:57:16 0000 ------- 
GLSA 200905-01
First Last Prev Next    No search results available      Search page      Enter new bug