From oss-security at $URL: CVE-2012-2414 http://downloads.asterisk.org/pub/security/AST-2012-004.html CVE-2012-2415 http://downloads.asterisk.org/pub/security/AST-2012-005.html CVE-2012-2416 http://downloads.asterisk.org/pub/security/AST-2012-006.html
Arches, please test and mark stable: =net-misc/asterisk-1.8.11.1 Target KEYWORDS="amd64 x86"
amd64 stable
I'm not sure if this is the correct place to write this, but Asterisk works fine on ppc and ppc64 as well after unmasking. We've been using source-compiled 1.4 for a while, but recently moved on to the 1.8 ebuilds, without any errors.
(In reply to comment #3) > I'm not sure if this is the correct place to write this, but Asterisk works > fine on ppc and ppc64 as well after unmasking. We've been using > source-compiled 1.4 for a while, but recently moved on to the 1.8 ebuilds, > without any errors. Do not attempt to hijack bugs, especially not security bugs.
Archtested on X86: Everything OK. 1) Compiles successfully with various USE-flags. 2) All rdeps compile successfully. 3) No repoman errors reported. 4) I do not have a voip phone but, per ago, I was able to verify the stability of the net-misc/asterisk-1.8.11.1 daemon and it's utilities. I also witnessed no errors of concern in asterisk's log file.
x86 stable, thanks Dan.
@security, please check the severity and file glsa request.
Thanks, everyone. GLSA is already drafted and ready for review.
CVE-2012-2416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2416): chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel. CVE-2012-2415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2415): Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events. CVE-2012-2414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2414): main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.
This issue was resolved and addressed in GLSA 201206-05 at http://security.gentoo.org/glsa/glsa-201206-05.xml by GLSA coordinator Sean Amoss (ackle).