Summary: | <net-misc/asterisk-{1.8.12.1,10.4.1} : IAX2 Remote crash vulnerability (CVE-2012-2947) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Rajiv Aaron Manglani (RETIRED) <rajiv> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | voip+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://downloads.digium.com/pub/security/AST-2012-007.html | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 418191 |
Description
Rajiv Aaron Manglani (RETIRED)
2012-05-29 22:17:03 UTC
+*asterisk-10.4.1 (29 May 2012) +*asterisk-1.8.12.1 (29 May 2012) + + 29 May 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.12.0.ebuild, + +asterisk-1.8.12.1.ebuild, -asterisk-10.3.1.ebuild, -asterisk-10.4.0.ebuild, + +asterisk-10.4.1.ebuild: + Security updates in the 1.8 & 10 branches for an IAX2 remote crash, bug + #418189 (AST-2012-007/CVE-2012-2947) and an SCCP channel driver remote crash, + bug #418191 (AST-2012-008/CVE-2012-2948). Both filed by Rajiv Aaron Manglani. + Removed vulnerable ebuilds up to last stable. Arches, please test & mark stable =net-misc/asterisk-1.8.12.1; compile test followed by a repeated stop/start cycle on the default config files will suffice. Could the last arch please remove the vulnerable 1.8.11.1 which is the current stable. +*asterisk-10.4.1 (29 May 2012) +*asterisk-1.8.12.1 (29 May 2012) + + 29 May 2012; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.12.0.ebuild, + +asterisk-1.8.12.1.ebuild, -asterisk-10.3.1.ebuild, -asterisk-10.4.0.ebuild, + +asterisk-10.4.1.ebuild: + Security updates in the 1.8 & 10 branches for an IAX2 remote crash, bug + #418189 (AST-2012-007/CVE-2012-2947) and an SCCP channel driver remote crash, + bug #418191 (AST-2012-008/CVE-2012-2948). Both filed by Rajiv Aaron Manglani. + Removed vulnerable ebuilds up to last stable. Stabilisation being handled in bug #418191. x86 stable amd64 ok amd64 stable removed old. @security, go ahead with glsa. CVE-2012-2947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2947): chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1, when a certain mohinterpret setting is enabled, allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold. This issue was resolved and addressed in GLSA 201206-05 at http://security.gentoo.org/glsa/glsa-201206-05.xml by GLSA coordinator Sean Amoss (ackle). |