Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 530056

Summary: <net-misc/asterisk-11.14.1: multiple vulnerabilities (CVE-2014-{8412,8414,8417,8418})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Comment 1 Tony Vroon (RETIRED) gentoo-dev 2014-11-24 11:31:35 UTC 
+*asterisk-12.7.1 (24 Nov 2014)
+*asterisk-11.14.1 (24 Nov 2014)
+
+  24 Nov 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.14.0.ebuild,
+  +asterisk-11.14.1.ebuild, -asterisk-12.6.1.ebuild, -asterisk-12.7.0.ebuild,
+  +asterisk-12.7.1.ebuild:
+  11 branch susceptible to AST-2014-012, AST-2014-014, AST-2014-017 &
+  AST-2014-018. 12 branch susceptible to AST-2014-012, AST-2014-013,
+  AST-2014-015, AST-2014-016, AST-2014-017 & AST-2014-018. Vulnerable
+  non-stable ebuilds removed. For security bug #530056.

Arches, please test & mark stable:
=net-misc/asterisk-11.14.1

Target stable keywords:
amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2014-11-24 15:26:18 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-11-24 15:26:31 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2014-11-24 15:58:34 UTC 
+  24 Nov 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.13.1.ebuild:
+  Remove vulnerable ebuilds now that stabilisation is complete. For security
+  bug #530056.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-12-27 02:01:47 UTC 
CVE-2014-8418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8418):
  The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x
  before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified
  Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote
  authenticated users to gain privileges via a call from an external protocol,
  as demonstrated by the AMI protocol.

CVE-2014-8417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8417):
  ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x
  before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote
  authenticated users to (1) gain privileges via vectors related to an
  external protocol to the CONFBRIDGE dialplan function or (2) execute
  arbitrary system commands via a crafted ConfbridgeStartRecord AMI action.

CVE-2014-8414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8414):
  ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6
  before 11.6-cert8 does not properly handle state changes, which allows
  remote attackers to cause a denial of service (channel hang and memory
  consumption) by causing transitions to be delayed, which triggers a state
  change from hung up to waiting for media.

CVE-2014-8412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8412):
  The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface
  (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1,
  12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28
  before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to
  bypass the ACL restrictions via a packet with a source IP that does not
  share the address family as the first ACL entry.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-28 15:23:38 UTC 
Added to existing GLSA draft along with bug 532242
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 19:08:33 UTC 
This issue was resolved and addressed in
 GLSA 201412-51 at http://security.gentoo.org/glsa/glsa-201412-51.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).