[gentoo-announce] [ GLSA 201006-20 ] Asterisk: Multiple vulnerabilities - gentoo-announce

From:	Alex Legler <a3li@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 201006-20 ] Asterisk: Multiple vulnerabilities
Date:	Fri, 04 Jun 2010 06:46:33
Message-Id:	`20100604071514.1dc3fdea@mail.a3li.li`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201006-20

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Asterisk: Multiple vulnerabilities

9

      Date: June 04, 2010

10

      Bugs: #281107, #283624, #284892, #295270

11

        ID: 201006-20

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities in Asterisk might allow remote attackers to

19

cause a Denial of Service condition, or conduct other attacks.

20

21

Background

22

==========

23

24

Asterisk is an open source telephony engine and toolkit.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package            /  Vulnerable  /                    Unaffected

31

    -------------------------------------------------------------------

32

  1  net-misc/asterisk      < 1.2.37                         >= 1.2.37

33

34

Description

35

===========

36

37

Multiple vulnerabilities have been reported in Asterisk:

38

39

* Nick Baggott reported that Asterisk does not properly process

40

  overly long ASCII strings in various packets (CVE-2009-2726).

41

42

* Noam Rathaus and Blake Cornell reported a flaw in the IAX2 protocol

43

  implementation (CVE-2009-2346).

44

45

* amorsen reported an input processing error in the RTP protocol

46

  implementation (CVE-2009-4055).

47

48

* Patrik Karlsson reported an information disclosure flaw related to

49

  the REGISTER message (CVE-2009-3727).

50

51

* A vulnerability was found in the bundled Prototype JavaScript

52

  library, related to AJAX calls (CVE-2008-7220).

53

54

Impact

55

======

56

57

A remote attacker could exploit these vulnerabilities by sending a

58

specially crafted package, possibly causing a Denial of Service

59

condition, or resulting in information disclosure.

60

61

Workaround

62

==========

63

64

There is no known workaround at this time.

65

66

Resolution

67

==========

68

69

All Asterisk users should upgrade to the latest version:

70

71

    # emerge --sync

72

    # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.37"

73

74

NOTE: This is a legacy GLSA. Updates for all affected architectures are

75

available since January 5, 2010. It is likely that your system is

76

already no longer affected by this issue.

77

78

References

79

==========

80

81

  [ 1 ] CVE-2009-2726

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726

83

  [ 2 ] CVE-2009-2346

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2346

85

  [ 3 ] CVE-2009-4055

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4055

87

  [ 4 ] CVE-2009-3727

88

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3727

89

  [ 5 ] CVE-2008-7220

90

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220

91

92

Availability

93

============

94

95

This GLSA and any updates to it are available for viewing at

96

the Gentoo Security Website:

97

98

  http://security.gentoo.org/glsa/glsa-201006-20.xml

99

100

Concerns?

101

=========

102

103

Security is a primary focus of Gentoo Linux and ensuring the

104

confidentiality and security of our users machines is of utmost

105

importance to us. Any security concerns should be addressed to

106

security@g.o or alternatively, you may file a bug at

107

https://bugs.gentoo.org.

108

109

License

110

=======

111

112

Copyright 2010 Gentoo Foundation, Inc; referenced text

113

belongs to its owner(s).

114

115

The contents of this document are licensed under the

116

Creative Commons - Attribution / Share Alike license.

117

118

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201006-20
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Asterisk: Multiple vulnerabilities
9	Date: June 04, 2010
10	Bugs: #281107, #283624, #284892, #295270
11	ID: 201006-20
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities in Asterisk might allow remote attackers to
19	cause a Denial of Service condition, or conduct other attacks.
20
21	Background
22	==========
23
24	Asterisk is an open source telephony engine and toolkit.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-misc/asterisk < 1.2.37 >= 1.2.37
33
34	Description
35	===========
36
37	Multiple vulnerabilities have been reported in Asterisk:
38
39	* Nick Baggott reported that Asterisk does not properly process
40	overly long ASCII strings in various packets (CVE-2009-2726).
41
42	* Noam Rathaus and Blake Cornell reported a flaw in the IAX2 protocol
43	implementation (CVE-2009-2346).
44
45	* amorsen reported an input processing error in the RTP protocol
46	implementation (CVE-2009-4055).
47
48	* Patrik Karlsson reported an information disclosure flaw related to
49	the REGISTER message (CVE-2009-3727).
50
51	* A vulnerability was found in the bundled Prototype JavaScript
52	library, related to AJAX calls (CVE-2008-7220).
53
54	Impact
55	======
56
57	A remote attacker could exploit these vulnerabilities by sending a
58	specially crafted package, possibly causing a Denial of Service
59	condition, or resulting in information disclosure.
60
61	Workaround
62	==========
63
64	There is no known workaround at this time.
65
66	Resolution
67	==========
68
69	All Asterisk users should upgrade to the latest version:
70
71	# emerge --sync
72	# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.37"
73
74	NOTE: This is a legacy GLSA. Updates for all affected architectures are
75	available since January 5, 2010. It is likely that your system is
76	already no longer affected by this issue.
77
78	References
79	==========
80
81	[ 1 ] CVE-2009-2726
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726
83	[ 2 ] CVE-2009-2346
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2346
85	[ 3 ] CVE-2009-4055
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4055
87	[ 4 ] CVE-2009-3727
88	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3727
89	[ 5 ] CVE-2008-7220
90	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
91
92	Availability
93	============
94
95	This GLSA and any updates to it are available for viewing at
96	the Gentoo Security Website:
97
98	http://security.gentoo.org/glsa/glsa-201006-20.xml
99
100	Concerns?
101	=========
102
103	Security is a primary focus of Gentoo Linux and ensuring the
104	confidentiality and security of our users machines is of utmost
105	importance to us. Any security concerns should be addressed to
106	security@g.o or alternatively, you may file a bug at
107	https://bugs.gentoo.org.
108
109	License
110	=======
111
112	Copyright 2010 Gentoo Foundation, Inc; referenced text
113	belongs to its owner(s).
114
115	The contents of this document are licensed under the
116	Creative Commons - Attribution / Share Alike license.
117
118	http://creativecommons.org/licenses/by-sa/2.5