From ${URL} : Description When an out of call message - delivered by either the SIP or PJSIP channel driver or the XMPP stack - is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module. Note that this crash does not occur when using the res_fax_digium module. While this crash technically occurs due to a configuration issue, as attempting to receive a fax from a channel driver that only contains textual information will never succeed, the likelihood of having it occur is sufficiently high as to warrant this advisory. Upstream patch: http://downloads.asterisk.org/pub/security/AST-2014-010-11.diff Additional info: https://issues.asterisk.org/jira/browse/ASTERISK-24301 http://downloads.digium.com/pub/security/AST-2014-010.html @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Arches, please test & mark stable: =net-misc/asterisk-11.12.1 Target keywords: amd64 x86 The Asterisk 12 branch is masked and vulnerable ebuilds have been removed there.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: Yes
+ 22 Sep 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.10.2.ebuild: + Remove vulnerable ebuild for security bug #523216 as stabilisation is + complete. 1.8 branch not affected.
Maintainer(s), Thank you for cleanup! GLSA Vote: Yes Created a New GLSA request.
This issue was resolved and addressed in GLSA 201411-10 at http://security.gentoo.org/glsa/glsa-201411-10.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2014-6610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6610): Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dialplan application.