Summary: | net-misc/asterisk: SIP DoS vulnerability (CVE-2007-1306) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tony Vroon (RETIRED) <chainsaw> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bernd, rajiv, voip+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://asterisk.org/node/48319 | ||
Whiteboard: | B3 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Tony Vroon (RETIRED)
2007-03-06 13:43:47 UTC
stkn/voip-herd, please provide an updated ebuild asterisk 1.0.12 is also vulnerable but not supported upstream. i will patch in our cvs shortly. *** Bug 169681 has been marked as a duplicate of this bug. *** net-misc/asterisk-1.0.12-r1 with ported patch in cvs as ~x86 and ~ppc. x86 team: please test and mark stable (or drop me an email and i will do it). older 1.0.12 version is ~ppc also so nothing to be done there. fyi, vulnerability notice: http://labs.musecurity.com/advisories/MU-200703-01.txt Just as a reminder, 1.2.* needs to be fixed too Secunia says 1.2.16 fixes that vulnerability Secunia: http://secunia.com/advisories/24380/ rajiv, please bump 1.2.* too, so we can stabilize both. Rajiv just handles the 1.0 branch. I can handle 1.2 but i'm waiting for a newer upstream (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't 1.2.16-friendly. Otherwise we could just try to patch the offending code in asterisk and do a revbump. (In reply to comment #7) > Rajiv just handles the 1.0 branch. > I can handle 1.2 but i'm waiting for a newer upstream > (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't > 1.2.16-friendly. > Otherwise we could just try to patch the offending code in asterisk and do a > revbump. Maybe the best solution if you can't tell how long the newer patch may take to be provided. Debian appears to have a BRIstuff PRE-1x patch for 1.2.16 if it's any help. Otherwise just a simple patch similar to the one for 1.0 branch would be fine. fyi the original patch for 1.2.x and 1.4.x is available at http://svn.digium.com/view/asterisk?rev=57478&view=rev Actually it's r57475 for asterisk-1.2 (r57478 is for 1.4). Committed in asterisk-1.2.14-r1. Will need =net-libs/libpri-1.2.4-r1 and =net-misc/zaptel-1.2.12-r1 stable with this too to match BRIstuff. sparc stable btw. Thanks Gustavo. x86 please test and mark stable: net-misc/asterisk-1.2.14-r1 net-libs/libpri-1.2.4-r1 net-misc/zaptel-1.2.12-r1 (In reply to comment #12) > Thanks Gustavo. > > x86 please test and mark stable: > net-misc/asterisk-1.2.14-r1 > net-libs/libpri-1.2.4-r1 > net-misc/zaptel-1.2.12-r1 And 1.0.12-r1, too. Done. I vote yes for that VoIP platform for which disponibility is important. Let's have a GLSA on this one. GLSA drafted and ready for review. GLSA 200703-14 |