Bug 1306618

Summary: asterisk: BEAST vulnerability in HTTP server (AST-2016-001)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: g.devel, itamar, jsmith.fedora, lmadsen, rbryant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: asterisk 11.21.1, asterisk 13.7.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:48:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1306619, 1306620    
Bug Blocks:    

Description Martin Prpič 2016-02-11 13:08:32 UTC 
The following flaw was found in Asterisk:

The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it.

Information on the fix:

Additional configuration options have been added to Asterisk which allow configuration of the HTTP server to not be susceptible to the BEAST vulnerability. These include options to confirm the permitted ciphers, to control what TLS protocols are allowed, and to use server cipher preference order instead of client preference order. The default configuration has also been changed for the HTTP server to use a configuration which is not susceptible to the BEAST vulnerability.

External References:

http://downloads.asterisk.org/pub/security/AST-2016-001.html
Comment 1 Martin Prpič 2016-02-11 13:09:28 UTC 
Created asterisk tracking bugs for this issue:

Affects: fedora-all [bug 1306619]
Affects: epel-6 [bug 1306620]
Comment 2 Jared Smith 2016-02-12 18:22:30 UTC 
This has been addressed with the 13.7.2 release in Rawhide, Fedora 23, and Fedora 22.  

I'm working on the EPEL 6 package now.
Comment 3 Product Security DevOps Team 2019-06-08 02:48:19 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.