Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 573924 (AST-2016-001)

Summary: <net-misc/asterisk-11.21.1: Susceptible to BEAST attack in TLS implementation (AST-2016-001)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chainsaw, josh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://downloads.asterisk.org/pub/security/AST-2016-001.html
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-05 13:31:07 UTC 
CVE Name
	

Pending



Description
	

The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it.


Resolution
	

Additional configuration options have been added to Asterisk which allow configuration of the HTTP server to not be susceptible to the BEAST vulnerability. These include options to confirm the permitted ciphers, to control what TLS protocols are allowed, and to use server cipher preference order instead of client preference order. The default configuration has also been changed for the HTTP server to use a configuration which is not susceptible to the BEAST vulnerability.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2016-02-05 13:33:13 UTC 
Arches, please test & mark stable:
=net-misc/asterisk-11.21.1

Target keywords: AMD64 X86

Test plan:
1) emerge asterisk with USE=samples
2) /etc/init.d/asterisk start
3) wait 6 seconds
4) /etc/init.d/asterisk stop
5) wait 6 seconds
6) repeat from step 2 for 4 iterations
Comment 2 Agostino Sarubbo gentoo-dev 2016-02-05 15:03:55 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-02-05 15:04:21 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2016-02-05 15:09:40 UTC 
Vulnerable ebuild removed.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-05 16:10:47 UTC 
GLSA Vote: No