Gentoo Archives: gentoo-announce

From: Sergey Popov <pinkbyte@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201401-15 ] Asterisk: Multiple vulnerabilities
Date: Tue, 21 Jan 2014 04:42:31
Message-Id: 52DDFA3A.5020800@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201401-15
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Asterisk: Multiple vulnerabilities
9 Date: January 21, 2014
10 Bugs: #449828, #463622, #482776, #494630
11 ID: 201401-15
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in Asterisk, the worst of
19 which may allow execution of arbitrary code.
20
21 Background
22 ==========
23
24 Asterisk is an open source telephony engine and toolkit.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-misc/asterisk < 11.7.0 *>= 1.8.25.0
33 >= 11.7.0
34
35 Description
36 ===========
37
38 Multiple vulnerabilities have been discovered in Asterisk. Please
39 review the CVE identifiers referenced below for details.
40
41 Impact
42 ======
43
44 A remote attacker could execute arbitrary code with the privileges of
45 the process, cause a Denial of Service condition, or obtain sensitive
46 information.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All Asterisk 11.* users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=net-misc/asterisk-11.7.0"
60
61 All Asterisk 1.8.* users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.25.0"
65
66 References
67 ==========
68
69 [ 1 ] CVE-2012-5976
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5976
71 [ 2 ] CVE-2012-5977
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5977
73 [ 3 ] CVE-2013-2264
74 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2264
75 [ 4 ] CVE-2013-2685
76 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2685
77 [ 5 ] CVE-2013-2686
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2686
79 [ 6 ] CVE-2013-5641
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5641
81 [ 7 ] CVE-2013-5642
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5642
83 [ 8 ] CVE-2013-7100
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7100
85
86 Availability
87 ============
88
89 This GLSA and any updates to it are available for viewing at
90 the Gentoo Security Website:
91
92 http://security.gentoo.org/glsa/glsa-201401-15.xml
93
94 Concerns?
95 =========
96
97 Security is a primary focus of Gentoo Linux and ensuring the
98 confidentiality and security of our users' machines is of utmost
99 importance to us. Any security concerns should be addressed to
100 security@g.o or alternatively, you may file a bug at
101 https://bugs.gentoo.org.
102
103 License
104 =======
105
106 Copyright 2014 Gentoo Foundation, Inc; referenced text
107 belongs to its owner(s).
108
109 The contents of this document are licensed under the
110 Creative Commons - Attribution / Share Alike license.
111
112 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature