Bug 1044204

Summary: Asterisk needs to be updated to pick up fixes to multiple security vulnerabilities
Product: [Fedora] Fedora EPEL Reporter: Dave Miller <justdave>
Component: asteriskAssignee: Jon Disnard <jdisnard>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: el6CC: gbailey, jdisnard, jeff, pza, rbryant
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: asterisk- Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-11 06:32:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 928780, 1002046, 1043923    
Bug Blocks:    

Description Dave Miller 2013-12-17 22:03:17 UTC
Description of problem:
The Asterisk packages available in EPEL are vulnerable to multiple security vulnerabilities dating back to February 2013.  The packages need to be updated to pick up the fixes for these.  The current Asterisk version on the 1.8 branch is

Version-Release number of selected component (if applicable):

The following security vulnerabilities affect the version of Asterisk currently included in EPEL:

> http://downloads.asterisk.org/pub/security/AST-2013-002.html - [Major] Denial of Service in HTTP server 
> http://downloads.asterisk.org/pub/security/AST-2013-003.html - [Moderate] Username disclosure in SIP channel driver
> http://downloads.asterisk.org/pub/security/AST-2013-004.html - [Major] Remote Crash From Late Arriving SIP ACK With SDP
> http://downloads.asterisk.org/pub/security/AST-2013-005.html - [Major] Remote Crash when Invalid SDP is sent in SIP Request
> http://downloads.asterisk.org/pub/security/AST-2013-006.html - [Major] Buffer Overflow when receiving odd length 16 bit SMS message
> http://downloads.asterisk.org/pub/security/AST-2013-007.html - [Minor] Asterisk Manager User Dialplan Permission Escalation

Comment 1 Dave Miller 2013-12-18 01:32:18 UTC
Looks like there's already multiple open bugs on this problem and it's been ignored since at least the end of March :|

Comment 2 Phil Anderson 2014-04-07 21:09:15 UTC
Resolved by 1074829

Comment 3 Dave Miller 2014-04-07 22:18:33 UTC
That one specific instance was.  The overall issue appears to have actually been bug 1058057.

Comment 4 Dave Miller 2014-04-07 22:21:42 UTC
But yeah, the point is I think this is fixed...  although I tried to build before it got posted and wound up having to rebuild a newer version of dahdi-tools to go with it, and I don't see the newer dahdi-tools in EPEL's repo, so I'm wondering how they built it without it? :-)

Comment 5 Fedora Update System 2014-11-22 14:33:30 UTC
asterisk- has been submitted as an update for Fedora EPEL 6.

Comment 6 Fedora Update System 2014-11-24 21:19:23 UTC
Package asterisk-
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing asterisk-'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-12-11 06:32:39 UTC
asterisk- has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.