Package name
asterisk
Date
2013-04-10
Advisory ID
MDVSA-2013:140
Affected versions
MBS1 x86_64

Problem description

Multiple vulnerablilities was identified and fixed in asterisk:

The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2,
10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk
1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x
before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before
10.12.2-digiumphones exhibits different behavior for invalid INVITE,
SUBSCRIBE, and REGISTER transactions depending on whether the user
account exists, which allows remote attackers to enumerate account
names by (1) reading HTTP status codes, (2) reading additional text
in a 403 (aka Forbidden) response, or (3) observing whether certain
retransmissions occur (CVE-2013-2264).

Stack-based buffer overflow in res/res_format_attr_h264.c in Asterisk
Open Source 11.x before 11.2.2 allows remote attackers to execute
arbitrary code via a long sprop-parameter-sets H.264 media attribute
in a SIP Session Description Protocol (SDP) header (CVE-2013-2685).

main/http.c in the HTTP server in Asterisk Open Source 1.8.x before
1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified
Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones
10.x-digiumphones before 10.12.2-digiumphones does not properly
restrict Content-Length values, which allows remote attackers to
conduct stack-consumption attacks and cause a denial of service (daemon
crash) via a crafted HTTP POST request. NOTE: this vulnerability
exists because of an incorrect fix for CVE-2012-5976 (CVE-2013-2686).

The updated packages have upgraded to the 11.2.2 version which is
not vulnerable to these issues

Updated packages

MBS1 x86_64

 a54f9c52287911d3009b9a4a63b0d9b5  mbs1/x86_64/asterisk-11.2.2-1.mbs1.x86_64.rpm
 bcb912383884c79bb03fff129c5e73a2  mbs1/x86_64/asterisk-addons-11.2.2-1.mbs1.x86_64.rpm
 df3e731ab622828d3fc24ce2d6d8ff05  mbs1/x86_64/asterisk-devel-11.2.2-1.mbs1.x86_64.rpm
 6f50863ffe38eb34af0c815d1f72ed8e  mbs1/x86_64/asterisk-firmware-11.2.2-1.mbs1.x86_64.rpm
 c9e37bd25faa73c7db9a80add5f4c41a  mbs1/x86_64/asterisk-plugins-alsa-11.2.2-1.mbs1.x86_64.rpm
 4ca4658e6c0789c9b1a8d08a35508127  mbs1/x86_64/asterisk-plugins-calendar-11.2.2-1.mbs1.x86_64.rpm
 0422472f189ed9cc7b321d6aa545d083  mbs1/x86_64/asterisk-plugins-cel-11.2.2-1.mbs1.x86_64.rpm
 7120a68c9917f2089bcc0573e61814af  mbs1/x86_64/asterisk-plugins-corosync-11.2.2-1.mbs1.x86_64.rpm
 229099ec3eb0ec8c9a158cd12b3c7381  mbs1/x86_64/asterisk-plugins-curl-11.2.2-1.mbs1.x86_64.rpm
 0df35ef09a290759c86d2f83dc493317  mbs1/x86_64/asterisk-plugins-dahdi-11.2.2-1.mbs1.x86_64.rpm
 fca23ba0184fca97687de135bc6db938  mbs1/x86_64/asterisk-plugins-fax-11.2.2-1.mbs1.x86_64.rpm
 e8ef64d157e89569a24642df5ecd218d  mbs1/x86_64/asterisk-plugins-festival-11.2.2-1.mbs1.x86_64.rpm
 dae0d37e87a647e9dcf7c103b2d75936  mbs1/x86_64/asterisk-plugins-ices-11.2.2-1.mbs1.x86_64.rpm
 6003a92d49063d384f64557102de45a0  mbs1/x86_64/asterisk-plugins-jabber-11.2.2-1.mbs1.x86_64.rpm
 7f24a0975072b8267514594124c59ab9  mbs1/x86_64/asterisk-plugins-jack-11.2.2-1.mbs1.x86_64.rpm
 18c95e28ed7e2030296f89a228bb3866  mbs1/x86_64/asterisk-plugins-ldap-11.2.2-1.mbs1.x86_64.rpm
 74d80afb084ae84a1d03df32fa150eeb  mbs1/x86_64/asterisk-plugins-lua-11.2.2-1.mbs1.x86_64.rpm
 34b054b98623abbef21308ff2ae9ce8e  mbs1/x86_64/asterisk-plugins-minivm-11.2.2-1.mbs1.x86_64.rpm
 3f5ec5d48595ce72b732e7041a221e5e  mbs1/x86_64/asterisk-plugins-mobile-11.2.2-1.mbs1.x86_64.rpm
 c8dd361926bbf937381f38dd52b2c033  mbs1/x86_64/asterisk-plugins-mp3-11.2.2-1.mbs1.x86_64.rpm
 18a3412d113e67bf89a1c7ccde2d6580  mbs1/x86_64/asterisk-plugins-mysql-11.2.2-1.mbs1.x86_64.rpm
 73fa8038d86571a80a5bce4811a98186  mbs1/x86_64/asterisk-plugins-ooh323-11.2.2-1.mbs1.x86_64.rpm
 825402b29cfba17e1927e732d9d5ec58  mbs1/x86_64/asterisk-plugins-osp-11.2.2-1.mbs1.x86_64.rpm
 0c324752f143577ab5ec722519c92144  mbs1/x86_64/asterisk-plugins-oss-11.2.2-1.mbs1.x86_64.rpm
 1ebf4f1ac970416960f0fe3507d94d40  mbs1/x86_64/asterisk-plugins-pgsql-11.2.2-1.mbs1.x86_64.rpm
 17d23d345b78b40f91ac28ccf4adbcd6  mbs1/x86_64/asterisk-plugins-pktccops-11.2.2-1.mbs1.x86_64.rpm
 548eb2863e0d867a2b6e2c40318ec435  mbs1/x86_64/asterisk-plugins-portaudio-11.2.2-1.mbs1.x86_64.rpm
 cb48575342032fcfd0a5a65a6ad2623f  mbs1/x86_64/asterisk-plugins-radius-11.2.2-1.mbs1.x86_64.rpm
 400248688a8f1d52971bfb4699e369b0  mbs1/x86_64/asterisk-plugins-saycountpl-11.2.2-1.mbs1.x86_64.rpm
 07bcb252b9149c9fc9a649313ae37537  mbs1/x86_64/asterisk-plugins-skinny-11.2.2-1.mbs1.x86_64.rpm
 5bdaeac4b6f9b137407c3de3ddf2b689  mbs1/x86_64/asterisk-plugins-snmp-11.2.2-1.mbs1.x86_64.rpm
 e5a514d2bb105e1d6dfc97a8cdb88d2c  mbs1/x86_64/asterisk-plugins-speex-11.2.2-1.mbs1.x86_64.rpm
 90bb6435b54c96d12a81a5545e77f8bd  mbs1/x86_64/asterisk-plugins-sqlite-11.2.2-1.mbs1.x86_64.rpm
 2f74005d5ce692d239ea34513c40acaa  mbs1/x86_64/asterisk-plugins-tds-11.2.2-1.mbs1.x86_64.rpm
 4fdef5ff76eb88108fb0a8db7dcc78be  mbs1/x86_64/asterisk-plugins-unistim-11.2.2-1.mbs1.x86_64.rpm
 5c713b0ade322da6da36502bbc54934a  mbs1/x86_64/asterisk-plugins-voicemail-11.2.2-1.mbs1.x86_64.rpm
 ef051b35a2cda8e1d7cbe09681b24d28  mbs1/x86_64/asterisk-plugins-voicemail-imap-11.2.2-1.mbs1.x86_64.rpm
 94bc9b4c92f2021240fead1b63a7708d  mbs1/x86_64/asterisk-plugins-voicemail-plain-11.2.2-1.mbs1.x86_64.rpm
 49a4eddca35fa01f473ede3103700470  mbs1/x86_64/lib64asteriskssl1-11.2.2-1.mbs1.x86_64.rpm 
 ae5eddf71c3f1964a07635ab0a3e23a5  mbs1/SRPMS/asterisk-11.2.2-1.mbs1.src.rpm

References