Description: "There is a possibility to remotely crash an Asterisk server if the server is configured to use realtime IAX2 users. The issue occurs if either an unknown user attempts to authenticate or if a user that uses hostname matching attempts to authenticate. The problem was due to a broken function call to Asterisk's realtime configuration API." Also from Secunia: http://secunia.com/Advisories/32956/ Just 1.2.27 in portage tree is affected.
CVE-2008-5558 Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows remote attackers to cause a denial of service (crash) via authentication attempts involving (1) an unknown user or (2) a user using hostname matching.
CVE-2008-5558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5558): Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows remote attackers to cause a denial of service (crash) via authentication attempts involving (1) an unknown user or (2) a user using hostname matching.
Ping. Delay for B3 is 20 days...
+*asterisk-1.2.31.1 (11 Mar 2009) + + 11 Mar 2009; <chainsaw@gentoo.org> + +files/1.2.0/asterisk-1.2.31.1-bri-fixups.diff, + +files/1.2.0/asterisk-1.2.31.1-comma-is-not-pipe.diff, + +files/1.2.0/asterisk-1.2.31.1-svn89254.diff, +asterisk-1.2.31.1.ebuild: + Version bump, for security bugs #250748 and #254304. Took a 1.4 build fix + that is relevant to 1.2, Digium bug #11238. Wrote patch to fix up typo in + open call, a comma is not a pipe sign. Used EAPI 2 for USE-based + dependencies instead of calling die. Patch from Mounir Lamouri adding + -lspeexdsp closes bug #206463 filed by John Read.
Arches, please test and mark stable 1.2.31.1 in the tree. Target keywords: ~alpha amd64 ~hppa ~ppc sparc x86 Alpha, PowerPC, please feel free to mark stable even though you're not stable right now. This is the last ever release in the 1.2 branch and we'll redo keywording from scratch for the 1.6 branch. This has been tested on a production network for AMD64 using Cisco 7960 phones (SIP firmware) and 2 Patton gateways both connected to 2 ISDN BRI lines from British Telecom.
Arch teams, for your echangelog entries, said keywording will also address security bug #254304 If you do not have hardware your usual compilation and QA tests will suffice.
Sparc stable.
Stable on alpha, including the requisite net-libs/openh323.
amd64/x86 stable
ppc done
HPPA isn't stable, and won't do now: >>> Compiling source in /dev/shm/portage/net-misc/asterisk-1.2.31.1/work/asteris k-1.2.31.1 ... * Building Asterisk... make: *** No rule to make target `hppa2.0-unknown-linux-gnu-gcc'. Stop. * * ERROR: net-misc/asterisk-1.2.31.1 failed.
+ 23 Mar 2009; <chainsaw@gentoo.org> -asterisk-1.2.27.ebuild: + Remove vulnerable 1.2.27 version now that arch keywording is complete. For + security bugs #250748 & #254304.
GLSA 200905-01