[gentoo-announce] [ GLSA 201405-05 ] Asterisk: Denial of Service - gentoo-announce

From:	Sergey Popov <pinkbyte@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201405-05 ] Asterisk: Denial of Service
Date:	Sat, 03 May 2014 19:18:35
Message-Id:	`53653A84.2070404@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201405-05

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Asterisk: Denial of Service

9

     Date: May 03, 2014

10

     Bugs: #504180

11

       ID: 201405-05

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple buffer overflows in Asterisk might allow remote attackers to

19

cause a Denial of Service condition.

20

21

Background

22

==========

23

24

Asterisk is an open source telephony engine and toolkit.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-misc/asterisk            < 11.8.1               *>= 1.8.26.1

33

                                                            >= 11.8.1

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Asterisk. Please

39

review the CVE identifiers and Asterisk Project Security Advisories

40

referenced below for details.

41

42

Impact

43

======

44

45

A remote attacker could possibly cause a Denial of Service condition.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All Asterisk 11.* users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=net-misc/asterisk-11.8.1"

59

60

All Asterisk 1.8.* users should upgrade to the latest version:

61

62

  # emerge --sync

63

  # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.26.1"

64

65

References

66

==========

67

68

[ 1 ] AST-2014-001

69

      http://downloads.asterisk.org/pub/security/AST-2014-001.pdf

70

[ 2 ] AST-2014-002

71

      http://downloads.asterisk.org/pub/security/AST-2014-002.pdf

72

[ 3 ] AST-2014-003

73

      http://downloads.asterisk.org/pub/security/AST-2014-003.pdf

74

[ 4 ] AST-2014-004

75

      http://downloads.asterisk.org/pub/security/AST-2014-004.pdf

76

[ 5 ] CVE-2014-2286

77

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2286

78

[ 6 ] CVE-2014-2287

79

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2287

80

[ 7 ] CVE-2014-2288

81

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2288

82

[ 8 ] CVE-2014-2289

83

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2289

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

 http://security.gentoo.org/glsa/glsa-201405-05.xml

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users' machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

https://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2014 Gentoo Foundation, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201405-05
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Asterisk: Denial of Service
9	Date: May 03, 2014
10	Bugs: #504180
11	ID: 201405-05
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple buffer overflows in Asterisk might allow remote attackers to
19	cause a Denial of Service condition.
20
21	Background
22	==========
23
24	Asterisk is an open source telephony engine and toolkit.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-misc/asterisk < 11.8.1 *>= 1.8.26.1
33	>= 11.8.1
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Asterisk. Please
39	review the CVE identifiers and Asterisk Project Security Advisories
40	referenced below for details.
41
42	Impact
43	======
44
45	A remote attacker could possibly cause a Denial of Service condition.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All Asterisk 11.* users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=net-misc/asterisk-11.8.1"
59
60	All Asterisk 1.8.* users should upgrade to the latest version:
61
62	# emerge --sync
63	# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.26.1"
64
65	References
66	==========
67
68	[ 1 ] AST-2014-001
69	http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
70	[ 2 ] AST-2014-002
71	http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
72	[ 3 ] AST-2014-003
73	http://downloads.asterisk.org/pub/security/AST-2014-003.pdf
74	[ 4 ] AST-2014-004
75	http://downloads.asterisk.org/pub/security/AST-2014-004.pdf
76	[ 5 ] CVE-2014-2286
77	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2286
78	[ 6 ] CVE-2014-2287
79	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2287
80	[ 7 ] CVE-2014-2288
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2288
82	[ 8 ] CVE-2014-2289
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2289
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	http://security.gentoo.org/glsa/glsa-201405-05.xml
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users' machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	https://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2014 Gentoo Foundation, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/2.5