Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 433750 - <net-misc/asterisk-1.8.15.1: Mulitple vulnerabilities (CVE-2012-{2186,4737})
Summary: <net-misc/asterisk-1.8.15.1: Mulitple vulnerabilities (CVE-2012-{2186,4737})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-03 09:10 UTC by GLSAMaker/CVETool Bot
Modified: 2012-09-26 22:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-03 09:10:58 UTC 
CVE-2012-4737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4737):
  channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x
  before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk
  Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk
  Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during
  certain uses of peer credentials, which allows remote authenticated users to
  bypass intended outbound-call restrictions by leveraging the availability of
  these credentials.

CVE-2012-2186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2186):
  Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source
  1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11
  before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before
  10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6
  allows remote authenticated users to execute arbitrary commands by
  leveraging originate privileges and providing an ExternalIVR value in an AMI
  Originate action.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-09-03 09:13:02 UTC 
Arches, please test and mark stable:
=net-misc/asterisk-1.8.15.1
Target KEYWORDS: amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2012-09-03 13:49:41 UTC 
amd64 stable
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-13 07:21:58 UTC 
x86 stable
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-13 15:26:22 UTC 
Thanks, everyone.

Already on existing GLSA request, ready for a 2nd review.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-09-26 22:02:25 UTC 
This issue was resolved and addressed in
 GLSA 201209-15 at http://security.gentoo.org/glsa/glsa-201209-15.xml
by GLSA coordinator Sean Amoss (ackle).