Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 169616 - net-misc/asterisk: SIP DoS vulnerability (CVE-2007-1306)
Summary: net-misc/asterisk: SIP DoS vulnerability (CVE-2007-1306)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://asterisk.org/node/48319
Whiteboard: B3 [glsa] jaervosz
Keywords:
: 169681 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-03-06 13:43 UTC by Tony Vroon
Modified: 2007-03-17 06:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tony Vroon gentoo-dev 2007-03-06 13:43:47 UTC
"This release contains a number of bug fixes, including a fix for a recently discovered security vulnerability. All Asterisk 1.2 users are urged to update to this release as soon as possible."

Similar story for the asterisk 1.4 branch, please update to 1.4.1 there.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-06 14:17:22 UTC
stkn/voip-herd, please provide an updated ebuild
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-03-06 16:58:36 UTC
asterisk 1.0.12 is also vulnerable but not supported upstream. i will patch in our cvs shortly.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-06 22:58:10 UTC
*** Bug 169681 has been marked as a duplicate of this bug. ***
Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-03-09 20:30:03 UTC
net-misc/asterisk-1.0.12-r1 with ported patch in cvs as ~x86 and ~ppc.

x86 team: please test and mark stable (or drop me an email and i will do it).

older 1.0.12 version is ~ppc also so nothing to be done there.

fyi, vulnerability notice: http://labs.musecurity.com/advisories/MU-200703-01.txt
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 21:14:29 UTC
Just as a reminder, 1.2.* needs to be fixed too

Secunia says 1.2.16 fixes that vulnerability

Secunia: http://secunia.com/advisories/24380/
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-03-10 14:13:05 UTC
rajiv, please bump 1.2.* too, so we can stabilize both.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-12 19:12:34 UTC
Rajiv just handles the 1.0 branch.
I can handle 1.2 but i'm waiting for a newer upstream (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't 1.2.16-friendly.
Otherwise we could just try to patch the offending code in asterisk and do a revbump.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-12 19:29:19 UTC
(In reply to comment #7)
> Rajiv just handles the 1.0 branch.
> I can handle 1.2 but i'm waiting for a newer upstream
> (http://www.junghanns.net/downloads/) BRIstuff patch since PRE-1y isn't
> 1.2.16-friendly.
> Otherwise we could just try to patch the offending code in asterisk and do a
> revbump.

 Maybe the best solution if you can't tell how long the newer patch may take to be provided.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-12 20:34:55 UTC
Debian appears to have a BRIstuff PRE-1x patch for 1.2.16 if it's any help. Otherwise just a simple patch similar to the one for 1.0 branch would be fine.
Comment 10 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-03-12 21:10:17 UTC
fyi the original patch for 1.2.x and 1.4.x is available at http://svn.digium.com/view/asterisk?rev=57478&view=rev
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-13 18:41:15 UTC
Actually it's r57475 for asterisk-1.2 (r57478 is for 1.4).
Committed in asterisk-1.2.14-r1.
Will need =net-libs/libpri-1.2.4-r1 and =net-misc/zaptel-1.2.12-r1 stable with this too to match BRIstuff.
sparc stable btw.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-13 19:40:59 UTC
Thanks Gustavo.

x86 please test and mark stable:
net-misc/asterisk-1.2.14-r1
net-libs/libpri-1.2.4-r1
net-misc/zaptel-1.2.12-r1
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-13 19:58:09 UTC
(In reply to comment #12)
> Thanks Gustavo.
> 
> x86 please test and mark stable:
> net-misc/asterisk-1.2.14-r1
> net-libs/libpri-1.2.4-r1
> net-misc/zaptel-1.2.12-r1

And 1.0.12-r1, too. Done.

Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 22:10:44 UTC
I vote yes for that VoIP platform for which disponibility is important.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-16 08:00:18 UTC
Let's have a GLSA on this one.

GLSA drafted and ready for review.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-17 06:51:34 UTC
GLSA 200703-14