Two issues fixed in Asterisk: CVE-2012-5976 - Crashes due to large stack allocations when using TCP CVE-2012-5977 - Denial of Service Through Exploitation of Device State Caching Corrected In Product: Asterisk Open Source Release: 1.8.19.1, 10.11.1, 11.1.1
+*asterisk-11.1.1 (02 Jan 2013) +*asterisk-10.11.1 (02 Jan 2013) +*asterisk-1.8.19.1 (02 Jan 2013) + + 02 Jan 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.15.1.ebuild, + -asterisk-1.8.18.1.ebuild, -asterisk-1.8.19.0.ebuild, + +asterisk-1.8.19.1.ebuild, -asterisk-10.10.1.ebuild, + -asterisk-10.11.0.ebuild, +asterisk-10.11.1.ebuild, -asterisk-11.0.2.ebuild, + -asterisk-11.1.0.ebuild, +asterisk-11.1.1.ebuild: + Security releases on all three branches; stop using stack allocations in TCP + receive paths, as multiple packets may be concatenated together and overflow + the stack as a result (CVE-2012-5976 / AST-2012-015). Never cache devices + that are not associated with a physical entity, as to do so allows a denial + of service through cache exhaustion (CVE-2012-5977 / AST-2012-014). Remove + all non-stable vulnerable ebuilds. As requested by Sean Amoss in bug #449828. Arches, please test & mark stable =net-misc/asterisk-1.8.19.1 Target keywords: amd64 x86 Please compile on different USE-flag permutations and confirm that the daemon is able to survive at least three start/stop cycles.
x86 done.
amd64 stable
Thanks, everyone. GLSA vote: yes.
+ 03 Jan 2013; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.18.0-r2.ebuild: + Clear vulnerable ebuild in 1.8 branch now that stabling has completed.
GLSA Vote: yes, too. GLSA request filed.
CVE-2012-5977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5977): Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache. CVE-2012-5976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5976): Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol.
This issue was resolved and addressed in GLSA 201401-15 at http://security.gentoo.org/glsa/glsa-201401-15.xml by GLSA coordinator Sergey Popov (pinkbyte).
