Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 433750

Summary: <net-misc/asterisk-1.8.15.1: Mulitple vulnerabilities (CVE-2012-{2186,4737})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: chainsaw, voip+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-03 09:10:58 UTC
CVE-2012-4737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4737):
  channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x
  before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk
  Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk
  Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during
  certain uses of peer credentials, which allows remote authenticated users to
  bypass intended outbound-call restrictions by leveraging the availability of
  these credentials.

CVE-2012-2186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2186):
  Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source
  1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11
  before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before
  10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6
  allows remote authenticated users to execute arbitrary commands by
  leveraging originate privileges and providing an ExternalIVR value in an AMI
  Originate action.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-09-03 09:13:02 UTC
Arches, please test and mark stable:
=net-misc/asterisk-1.8.15.1
Target KEYWORDS: amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2012-09-03 13:49:41 UTC
amd64 stable
Comment 3 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-13 07:21:58 UTC
x86 stable
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-13 15:26:22 UTC
Thanks, everyone.

Already on existing GLSA request, ready for a 2nd review.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-09-26 22:02:25 UTC
This issue was resolved and addressed in
 GLSA 201209-15 at http://security.gentoo.org/glsa/glsa-201209-15.xml
by GLSA coordinator Sean Amoss (ackle).