Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504180 (cve-2014-2286) - <net-misc/asterisk-{1.8.26.1,11.8.1} : Denial of Service (CVE-2014-{2286,2287,2288,2289}) (AST-2014-001 - AST-2014-002 -AST-2014-003 - AST-2014-004)
Summary: <net-misc/asterisk-{1.8.26.1,11.8.1} : Denial of Service (CVE-2014-{2286,2287...
Status: RESOLVED FIXED
Alias: cve-2014-2286
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-11 08:26 UTC by Agostino Sarubbo
Modified: 2014-05-03 19:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Tony Vroon gentoo-dev 2014-03-11 09:04:33 UTC
+*asterisk-12.1.1 (11 Mar 2014)
+*asterisk-11.8.1 (11 Mar 2014)
+*asterisk-1.8.26.1 (11 Mar 2014)
+
+  11 Mar 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.26.0.ebuild,
+  +asterisk-1.8.26.1.ebuild, -asterisk-11.7.0-r1.ebuild,
+  -asterisk-11.8.0.ebuild, +asterisk-11.8.1.ebuild, -asterisk-12.0.0.ebuild,
+  -asterisk-12.1.0.ebuild, +asterisk-12.1.1.ebuild:
+  New releases in all three branches to address a stack overflow in HTTP cookie
+  header processing, a file descriptor exhaustion through session timers in
+  chan_sip and two remote crashes in PJSIP (12 branch only). Removed all
+  vulnerable non-stable ebuilds. Upstream vulnerability reports AST-2014-001, 
+  002, 003 & 004.

Arches, please test and mark stable:
=net-misc/asterisk-1.8.26.1
=net-misc/asterisk-11.8.1

The following branch is masked and has no stable ebuilds:
=net-misc/asterisk-12.1.1

The following vulnerable ebuilds should be removed after security stabling:
=net-misc/asterisk-1.8.25.0
=net-misc/asterisk-11.7.0
Comment 2 Agostino Sarubbo gentoo-dev 2014-03-11 15:05:41 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-11 15:05:59 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Tony Vroon gentoo-dev 2014-03-11 15:12:07 UTC
Clean-up by ago is complete, secure ebuilds on all three branches. Please proceed with GLSA decision process.
Comment 5 Sergey Popov gentoo-dev Security 2014-04-23 19:58:52 UTC
Thanks everyone. GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-04-24 07:32:58 UTC
CVE-2014-2289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2289):
  res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open
  Source 12.x before 12.1.0 allows remote authenticated users to cause a
  denial of service (crash) via a SUBSCRIBE request without any Accept
  headers, which triggers an invalid pointer dereference.
Comment 7 Sergey Popov gentoo-dev Security 2014-04-26 07:18:32 UTC
Lowering vulnerability score, due to all of the specified vulnerabilities are classified as Denial of Service by upstream
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-05-03 19:14:07 UTC
This issue was resolved and addressed in
 GLSA 201405-05 at http://security.gentoo.org/glsa/glsa-201405-05.xml
by GLSA coordinator Sergey Popov (pinkbyte).