| Summary: | <net-misc/asterisk-{1.2.36, 1.6.1.9} Multiple vulnerabilities (CVE-2008-7220,CVE-2009-3727) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | chainsaw, voip+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.asterisk.org/node/49859 | ||
| Whiteboard: | B4 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 284874 | ||
|
Description
Alex Legler (RETIRED)
2009-09-14 10:26:59 UTC
AST-2009-008 (http://downloads.asterisk.org/pub/security/AST-2009-008.html): It is possible to determine if a peer with a specific name is configured in Asterisk by sending a specially crafted REGISTER message twice. The username that is to be checked is put in the user portion of the URI in the To header. A bogus non-matching value is put into the username portion of the Digest in the Authorization header. If the peer does exist the second REGISTER will receive a response of “403 Authentication user name does not match account name”. If the peer does not exist the response will be “404 Not Found” if alwaysauthreject is disabled and “401 Unauthorized” if alwaysauthreject is enabled. AST-2009-009 (http://downloads.asterisk.org/pub/security/AST-2009-009.html): Asterisk includes a demonstration AJAX based manager interface, ajamdemo.html which uses the prototype.js framework. An issue was uncovered in this framework which could allow someone to execute a cross-site AJAX request exploit. voip: Please bump. +*asterisk-1.6.1.9 (04 Nov 2009) +*asterisk-1.2.36 (04 Nov 2009) + + 04 Nov 2009; <chainsaw@gentoo.org> -asterisk-1.2.35-r1.ebuild, + +asterisk-1.2.36.ebuild, -asterisk-1.6.1.8.ebuild, + -asterisk-1.6.1.8-r1.ebuild, +asterisk-1.6.1.9.ebuild: + Version bumps as requested by Alex "a3li" Legler in security bug #284892, + drop any non-stable vulnerable ebuild. Upstream advisory AST-2009-008. Arch teams, please stable net-misc/asterisk-1.2.36 Target keywords: alpha amd64 ppc sparc x86 Recommend compile test & attempt to run (default configuration should allow the daemon to start and stop with green OK from /etc/init.d/asterisk). + 05 Nov 2009; <chainsaw@gentoo.org> asterisk-1.2.36.ebuild: + Marked stable on AMD64 for security bug #284892, based on compilation & + start/stop init.d test on default configuration. x86 stable Stable on alpha. CVE-2009-3727 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3727): Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header. sparc stable Marked ppc stable. GLSA 201006-20 |