Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200905-01 ] Asterisk: Multiple vulnerabilities
Date: Sat, 02 May 2009 17:57:44
Message-Id: 200905021954.55063.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200905-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Asterisk: Multiple vulnerabilities
9 Date: May 02, 2009
10 Bugs: #218966, #224835, #232696, #232698, #237476, #250748,
11 #254304
12 ID: 200905-01
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been found in Asterisk allowing for
20 Denial of Service and username disclosure.
21
22 Background
23 ==========
24
25 Asterisk is an open source telephony engine and toolkit.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-misc/asterisk < 1.2.32 >= 1.2.32
34
35 Description
36 ===========
37
38 Multiple vulnerabilities have been discovered in the IAX2 channel
39 driver when performing the 3-way handshake (CVE-2008-1897), when
40 handling a large number of POKE requests (CVE-2008-3263), when handling
41 authentication attempts (CVE-2008-5558) and when handling firmware
42 download (FWDOWNL) requests (CVE-2008-3264). Asterisk does also not
43 correctly handle SIP INVITE messages that lack a "From" header
44 (CVE-2008-2119), and responds differently to a failed login attempt
45 depending on whether the user account exists (CVE-2008-3903,
46 CVE-2009-0041).
47
48 Impact
49 ======
50
51 Remote unauthenticated attackers could send specially crafted data to
52 Asterisk, possibly resulting in a Denial of Service via a daemon crash,
53 call-number exhaustion, CPU or traffic consumption. Remote
54 unauthenticated attackers could furthermore enumerate valid usernames
55 to facilitate brute force login attempts.
56
57 Workaround
58 ==========
59
60 There is no known workaround at this time.
61
62 Resolution
63 ==========
64
65 All Asterisk users should upgrade to the latest version:
66
67 # emerge --sync
68 # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.32"
69
70 References
71 ==========
72
73 [ 1 ] CVE-2008-1897
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1897
75 [ 2 ] CVE-2008-2119
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2119
77 [ 3 ] CVE-2008-3263
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3263
79 [ 4 ] CVE-2008-3264
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3264
81 [ 5 ] CVE-2008-3903
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3903
83 [ 6 ] CVE-2008-5558
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5558
85 [ 7 ] CVE-2009-0041
86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0041
87
88 Availability
89 ============
90
91 This GLSA and any updates to it are available for viewing at
92 the Gentoo Security Website:
93
94 http://security.gentoo.org/glsa/glsa-200905-01.xml
95
96 Concerns?
97 =========
98
99 Security is a primary focus of Gentoo Linux and ensuring the
100 confidentiality and security of our users machines is of utmost
101 importance to us. Any security concerns should be addressed to
102 security@g.o or alternatively, you may file a bug at
103 http://bugs.gentoo.org.
104
105 License
106 =======
107
108 Copyright 2009 Gentoo Foundation, Inc; referenced text
109 belongs to its owner(s).
110
111 The contents of this document are licensed under the
112 Creative Commons - Attribution / Share Alike license.
113
114 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature