Summary: | net-misc/asterisk <1.2.25 cdr_pgsql SQL injection (CVE-2007-6170) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Rajiv Aaron Manglani (RETIRED) <rajiv> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jesse, rentorbuy, voip+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.digium.com/pipermail/asterisk-announce/2007-November/000105.html | ||
Whiteboard: | C3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 213883 | ||
Bug Blocks: |
Description
Rajiv Aaron Manglani (RETIRED)
2007-11-29 22:54:14 UTC
*** Bug 199268 has been marked as a duplicate of this bug. *** Asterisk Project Security Advisory - AST-2007-026 +------------------------------------------------------------------------+ | Product | Asterisk | |----------------------+-------------------------------------------------| | Summary | SQL Injection issue in cdr_pgsql | |----------------------+-------------------------------------------------| | Nature of Advisory | SQL Injection | |----------------------+-------------------------------------------------| | Susceptibility | Remote Authenticated Sessions | |----------------------+-------------------------------------------------| | Severity | Moderate | |----------------------+-------------------------------------------------| | Exploits Known | No | |----------------------+-------------------------------------------------| | Reported On | November 29, 2007 | |----------------------+-------------------------------------------------| | Reported By | Tilghman Lesher <tlesher AT digium DOT com> | |----------------------+-------------------------------------------------| | Posted On | November 29, 2007 | |----------------------+-------------------------------------------------| | Last Updated On | November 29, 2007 | |----------------------+-------------------------------------------------| | Advisory Contact | Tilghman Lesher <tlesher AT digium DOT com> | |----------------------+-------------------------------------------------| | CVE Name | CVE-2007-6170 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Description | Input buffers were not properly escaped when providing | | | the ANI and DNIS strings to the Call Detail Record | | | Postgres logging engine. An attacker could potentially | | | compromise the administrative database containing users' | | | usernames and passwords used for SIP authentication, | | | among other things. | | | | | | This module is not active by default and must be | | | configured for use by the administrator. Default | | | installations of Asterisk are not affected. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Workaround | Convert your installation to use cdr_odbc with the | | | PgsqlODBC driver. This module provides similar | | | functionality but is not vulnerable. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Resolution | Upgrade to Asterisk release 1.4.15 or higher. | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Affected Versions | |------------------------------------------------------------------------| | Product | Release | | | | Series | | |-------------------------------+-------------+--------------------------| | Asterisk Open Source | 1.0.x | All versions | |-------------------------------+-------------+--------------------------| | Asterisk Open Source | 1.2.x | 1.2.24 and previous | |-------------------------------+-------------+--------------------------| | Asterisk Open Source | 1.4.x | 1.4.14 and previous | |-------------------------------+-------------+--------------------------| | Asterisk Business Edition | A.x.x | All versions | |-------------------------------+-------------+--------------------------| | Asterisk Business Edition | B.x.x | B.2.3.3 and previous | |-------------------------------+-------------+--------------------------| | Asterisk Business Edition | C.x.x | C.1.0-beta5 and previous | |-------------------------------+-------------+--------------------------| | AsteriskNOW | pre-release | None | |-------------------------------+-------------+--------------------------| | Asterisk Appliance Developer | 0.x.x | None | | Kit | | | |-------------------------------+-------------+--------------------------| | s800i (Asterisk Appliance) | 1.0.x | None | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Corrected In | |------------------------------------------------------------------------| | Product | Release | |-------------------------------------------+----------------------------| | Asterisk Open Source | 1.2.25 | |-------------------------------------------+----------------------------| | Asterisk Open Source | 1.4.15 | |-------------------------------------------+----------------------------| | Asterisk Business Edition | B.2.3.4 | |-------------------------------------------+----------------------------| | Asterisk Business Edition | C.1.0-beta6 | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Links | | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Asterisk Project Security Advisories are posted at | | http://www.asterisk.org/security | | | | This document may be superseded by later versions; if so, the latest | | version will be posted at | | http://downloads.digium.com/pub/security/AST-2007-026.pdf and | | http://downloads.digium.com/pub/security/AST-2007-026.html | +------------------------------------------------------------------------+ +------------------------------------------------------------------------+ | Revision History | |------------------------------------------------------------------------| | Date | Editor | Revisions Made | |----------------+--------------------+----------------------------------| | 2007-11-29 | Tilghman Lesher | Initial release | |----------------+--------------------+----------------------------------| | 2007-11-29 | Tilghman Lesher | Added CVE, ABE C version | +------------------------------------------------------------------------+ Asterisk Project Security Advisory - AST-2007-026 Copyright (c) 2007 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. Thanks for the report. voip, please advise. voip, please provide an updated ebuild. (In reply to comment #4) > voip, please provide an updated ebuild. > *ping* 1.2.26 Released http://www.asterisk.org/node/48438 *** Bug 212306 has been marked as a duplicate of this bug. *** Updated ebuild available on Bug 212306 Previous ebuild in bug report 212306 did not emerge correctly with bristuff. I setup a test box and now it emerges fine with/without bri/backports, etc. If someone gets errors while emerging then please let me know. asterisk 1.2.27 has been released: http://bugs.gentoo.org/show_bug.cgi?id=212306 net-misc/asterisk-1.2.27 in cvs. target keywords are amd64 sparc x86. stabling on bug 213883. Two YES on bug 213883. GLSA 200804-13 |