Bug 1044204
| Summary: | Asterisk needs to be updated to pick up fixes to multiple security vulnerabilities | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Dave Miller <justdave> |
| Component: | asterisk | Assignee: | Jon Disnard <jdisnard> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | el6 | CC: | gbailey, jdisnard, jeff, pza, rbryant |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | asterisk-1.8.32.1-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-11 06:32:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 928780, 1002046, 1043923 | ||
| Bug Blocks: | |||
Looks like there's already multiple open bugs on this problem and it's been ignored since at least the end of March :| Resolved by 1074829 That one specific instance was. The overall issue appears to have actually been bug 1058057. But yeah, the point is I think this is fixed... although I tried to build 1.8.26.1 before it got posted and wound up having to rebuild a newer version of dahdi-tools to go with it, and I don't see the newer dahdi-tools in EPEL's repo, so I'm wondering how they built it without it? :-) asterisk-1.8.32.1-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/asterisk-1.8.32.1-1.el6 Package asterisk-1.8.32.1-1.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing asterisk-1.8.32.1-1.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4243/asterisk-1.8.32.1-1.el6 then log in and leave karma (feedback). asterisk-1.8.32.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The Asterisk packages available in EPEL are vulnerable to multiple security vulnerabilities dating back to February 2013. The packages need to be updated to pick up the fixes for these. The current Asterisk version on the 1.8 branch is 1.8.25.0. Version-Release number of selected component (if applicable): asterisk-1.8.20.0-1.el6.x86_64 The following security vulnerabilities affect the version of Asterisk currently included in EPEL: > http://downloads.asterisk.org/pub/security/AST-2013-002.html - [Major] Denial of Service in HTTP server > http://downloads.asterisk.org/pub/security/AST-2013-003.html - [Moderate] Username disclosure in SIP channel driver > http://downloads.asterisk.org/pub/security/AST-2013-004.html - [Major] Remote Crash From Late Arriving SIP ACK With SDP > http://downloads.asterisk.org/pub/security/AST-2013-005.html - [Major] Remote Crash when Invalid SDP is sent in SIP Request > http://downloads.asterisk.org/pub/security/AST-2013-006.html - [Major] Buffer Overflow when receiving odd length 16 bit SMS message > http://downloads.asterisk.org/pub/security/AST-2013-007.html - [Minor] Asterisk Manager User Dialplan Permission Escalation