From ${URL}: Description Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked. Resolution The patched versions now have a session_inactivity timeout option in http.conf that defaults to 30000 ms. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. t Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk 11.6 All versions Corrected In Product Release Asterisk Open Source 1.8.28.1, 11.10.1, 12.3.1 Certified Asterisk 1.8.15-cert6, 11.6-cert3
Also, from http://seclists.org/bugtraq/2014/Jun/114 : Description Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process. Resolution Upgrade to a version with the patch integrated, apply the patch, or do not allow users who should not have permission to run shell commands to use AMI. Affected Versions Product Release Series Asterisk Open Source 11.x All Asterisk Open Source 12.x All Certified Asterisk 11.6 All
+*asterisk-11.10.1 (14 Jun 2014) +*asterisk-1.8.28.1 (14 Jun 2014) + + 14 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.27.0.ebuild, + -asterisk-1.8.28.0.ebuild, +asterisk-1.8.28.1.ebuild, + -asterisk-11.9.0.ebuild, -asterisk-11.10.0.ebuild, +asterisk-11.10.1.ebuild: + MixMonitor AMI command allowed arbitrary shell commands to be executed + (AST-2014-006). Upstream replacement of plain broken SSL read implementation + as part of an HTTPS denial of service (AST-2014-007) finally fixes + ASTERISK-18345 after almost three years. Relevant downstream patch removed, + this means we were very likely not vulnerable. Arches, please test & mark stable: =net-misc/asterisk-1.8.28.1 =net-misc/asterisk-11.10.1 Test procedure is to merge with USE="samples" and ensure the init script & daemon survive three stop/start cycles. Leave at least 10 seconds between stop & start and verify using ps aux or openrc "crashed" vs "started" that the daemon is not unstable at launch.
+*asterisk-12.3.1 (14 Jun 2014) + + 14 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-12.1.1.ebuild, + -asterisk-12.2.0.ebuild, -asterisk-12.3.0.ebuild, +asterisk-12.3.1.ebuild: + And now for the 12 branch, which has additional vulnerabilities in the PJSIP + channel driver. MixMonitor AMI command allowed arbitrary shell commands to be + executed (AST-2014-006). Upstream replacement of plain broken SSL read + implementation as part of an HTTPS denial of service (AST-2014-007) finally + fixes ASTERISK-18345 after almost three years. Relevant downstream patch + removed, this means we were very likely not vulnerable. Resolves a remote + crash in publish/subscribe framework (AST-2014-005) due to deadlock on a + synchronously dispatched task. All ebuilds in this branch are masked; no stabilisation required but vulnerable ebuilds removed from tree.
+*asterisk-11.10.2 (16 Jun 2014) +*asterisk-1.8.28.2 (16 Jun 2014) + + 16 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.28.1.ebuild, + +asterisk-1.8.28.2.ebuild, -asterisk-11.10.1.ebuild, + +asterisk-11.10.2.ebuild: + Upstream distributed a broken release that did not carry traffic for SIP over + TCP or SIP over TLS. Arches, please test & mark stable: =net-misc/asterisk-1.8.28.2 =net-misc/asterisk-11.10.2 Test procedure is to merge with USE="samples" and ensure the init script & daemon survive three stop/start cycles. Leave at least 10 seconds between stop & start and verify using ps aux or openrc "crashed" vs "started" that the daemon is not unstable at launch.
+*asterisk-12.3.2 (16 Jun 2014) + + 16 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-12.3.1.ebuild, + +asterisk-12.3.2.ebuild: + Upstream distributed a broken release that did not carry traffic for SIP over + TCP or SIP over TLS. This remains masked and is not recommended for + production deployments.
Tony, What are we stabilizing? There are a lot of messages but the arches need something clear to work from.
Arches, please test & mark stable: =net-misc/asterisk-1.8.28.2 =net-misc/asterisk-11.10.2 Test procedure is to merge with USE="samples" and ensure the init script & daemon survive three stop/start cycles. Leave at least 10 seconds between stop & start and verify using ps aux or openrc "crashed" vs "started" that the daemon is not unstable at launch.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #9) > Maintainer(s), please cleanup. + 23 Jun 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.26.1.ebuild, + -asterisk-11.8.1.ebuild, -asterisk-12.1.1.ebuild, -asterisk-12.2.0.ebuild: + Remove vulnerable ebuilds for security bug #513102, as requested by Agostino + "ago" Sarubbo.
GLSA vote: yes.
GLSA Vote: Yes Created a New GLSA request.
This issue was resolved and addressed in GLSA 201406-25 at http://security.gentoo.org/glsa/glsa-201406-25.xml by GLSA coordinator Yury German (BlueKnight).
CVE-2014-4047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4047): Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of service (connection consumption) via a large number of (1) inactive or (2) incomplete HTTP connections. CVE-2014-4046 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4046): Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action.
