Upstream advisories: http://downloads.asterisk.org/pub/security/AST-2011-003.html http://downloads.asterisk.org/pub/security/AST-2011-004.html Rapidly opening manager connections, sending invalid data, and closing the connection can cause Asterisk to exhaust available CPU and memory resources. The manager interface is disabled by default. Rapidly opening and closing TCP connections to services using the ast_tcptls_* API (primarily chan_sip, manager, and res_phoneprov) can cause Asterisk to crash after dereferencing a NULL pointer.
Adding CVE assignment per http://www.openwall.com/lists/oss-security/2011/03/21/12. > > AST-2011-003: > > http://downloads.asterisk.org/pub/security/AST-2011-003.pdf > > - resource exhaustion DoS in Asterisk Manager Interface http://downloads.asterisk.org/pub/security/AST-2011-003.html Use CVE-2011-1174 > > > > AST-2011-004: > > http://downloads.asterisk.org/pub/security/AST-2011-003.pdf > > - DoS in TCP/TLS server due to NULL ptr deref http://downloads.asterisk.org/pub/security/AST-2011-004.html Use CVE-2011-1175
+*asterisk-1.8.3.2 (23 Mar 2011) + + 23 Mar 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.2.4.ebuild, + -asterisk-1.8.3.ebuild, +asterisk-1.8.3.2.ebuild: + Secure ebuild for the 1.8 branch; robustness fixes for the manager interface. + As per advisory AST-2011-003, a denial of service is possible through + resource exhaustion in previous versions. As per advisory AST-2011-004, it is + possible to cause a NULL pointer dereference by rapidly opening & closing + TCP/TLS connections. Removed insecure ebuilds.
+*asterisk-1.6.2.17.2 (23 Mar 2011) + + 23 Mar 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.17.ebuild, + +asterisk-1.6.2.17.2.ebuild: + Secure ebuild for the 1.6.2 branch; robustness fixes for the manager + interface. As per advisory AST-2011-003, a denial of service is possible + through resource exhaustion in previous versions. As per advisory + AST-2011-004, it is possible to cause a NULL pointer dereference by rapidly + opening & closing TCP/TLS connections. Removed all but the last stable + ebuild. For security bug #359767 filed by Pawel Hajdan, Jr.
Arches, please test & mark stable (on the default configuration, you should be able to repeatedly start & stop the daemon) net-misc/asterisk-1.6.2.17.2 which obsoletes the insecure net-misc/asterisk-1.6.2.16.2-r2 ebuild. I do not expect this request to have any dependencies, but if it does, please proceed where possible.
amd64 ok
amd64 done, thanks Agostino
Looks good on x86. The two revdeps (net-misc/asterisk-chan_sccp & net-misc/asterisk-app_conference) do not compile, but that was already the case with the current stable asterisk...
x86 stable. Thanks Andreas
Thanks, folks. Added to existing GLSA request.
+ 23 Mar 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.6.2.16.2-r2.ebuild: + Remove vulnerable ebuild for CVE-2011-1174 & CVE-2011-1175 now that a secure + ebuild has been stabled.
CVE-2011-1175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1175): tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by establishing many short TCP sessions to services that use a certain TLS API. CVE-2011-1174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1174): manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before 1.6.2.17.2, and 1.8.x before 1.8.3.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a series of manager sessions involving invalid data.
This issue was resolved and addressed in GLSA 201110-21 at http://security.gentoo.org/glsa/glsa-201110-21.xml by GLSA coordinator Tim Sammut (underling).