Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290686 - <net-misc/asterisk-1.6.1.8 SIP INVITE ACL bypass
Summary: <net-misc/asterisk-1.6.1.8 SIP INVITE ACL bypass
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial
Assignee: Gentoo Security
URL: http://downloads.asterisk.org/pub/sec...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-27 06:49 UTC by Alex Legler (RETIRED)
Modified: 2009-10-27 10:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-27 06:49:05 UTC 
Description - taken from upstream avisory:
A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the "deny" and "permit" lines in sip.conf. The ACL check for handling SIP registrations was not affected.

Affected:     1.6.x
Corrected in: 1.6.1.8
Comment 1 Bernd Marienfeldt 2009-10-27 09:27:51 UTC 
http://downloads.digium.com/pub/security/AST-2009-007.html
Comment 2 Tony Vroon (RETIRED) gentoo-dev 2009-10-27 10:47:17 UTC 
Contrary to a prior posting, this vulnerability only affects the 1.6.1.x branch of Asterisk, not 1.6.x as a whole. All vulnerable ebuilds have been purged from the tree, 1.6.1.8 has been added.
As all these ebuilds are hardmasked in the tree (and the stable 1.2 ebuilds are not all affected), a GLSA will not be issued. Closing bug.