Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530056 - <net-misc/asterisk-11.14.1: multiple vulnerabilities (CVE-2014-{8412,8414,8417,8418})
Summary: <net-misc/asterisk-11.14.1: multiple vulnerabilities (CVE-2014-{8412,8414,841...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-21 15:25 UTC by Agostino Sarubbo
Modified: 2014-12-28 19:08 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Tony Vroon gentoo-dev 2014-11-24 11:31:35 UTC
+*asterisk-12.7.1 (24 Nov 2014)
+*asterisk-11.14.1 (24 Nov 2014)
+
+  24 Nov 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.14.0.ebuild,
+  +asterisk-11.14.1.ebuild, -asterisk-12.6.1.ebuild, -asterisk-12.7.0.ebuild,
+  +asterisk-12.7.1.ebuild:
+  11 branch susceptible to AST-2014-012, AST-2014-014, AST-2014-017 &
+  AST-2014-018. 12 branch susceptible to AST-2014-012, AST-2014-013,
+  AST-2014-015, AST-2014-016, AST-2014-017 & AST-2014-018. Vulnerable
+  non-stable ebuilds removed. For security bug #530056.

Arches, please test & mark stable:
=net-misc/asterisk-11.14.1

Target stable keywords:
amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2014-11-24 15:26:18 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-11-24 15:26:31 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Tony Vroon gentoo-dev 2014-11-24 15:58:34 UTC
+  24 Nov 2014; Tony Vroon <chainsaw@gentoo.org> -asterisk-11.13.1.ebuild:
+  Remove vulnerable ebuilds now that stabilisation is complete. For security
+  bug #530056.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-12-27 02:01:47 UTC
CVE-2014-8418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8418):
  The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x
  before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified
  Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote
  authenticated users to gain privileges via a call from an external protocol,
  as demonstrated by the AMI protocol.

CVE-2014-8417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8417):
  ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x
  before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote
  authenticated users to (1) gain privileges via vectors related to an
  external protocol to the CONFBRIDGE dialplan function or (2) execute
  arbitrary system commands via a crafted ConfbridgeStartRecord AMI action.

CVE-2014-8414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8414):
  ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6
  before 11.6-cert8 does not properly handle state changes, which allows
  remote attackers to cause a denial of service (channel hang and memory
  consumption) by causing transitions to be delayed, which triggers a state
  change from hung up to waiting for media.

CVE-2014-8412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8412):
  The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface
  (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1,
  12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28
  before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to
  bypass the ACL restrictions via a packet with a source IP that does not
  share the address family as the first ACL entry.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-28 15:23:38 UTC
Added to existing GLSA draft along with bug 532242
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 19:08:33 UTC
This issue was resolved and addressed in
 GLSA 201412-51 at http://security.gentoo.org/glsa/glsa-201412-51.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).