Bug 531199

Summary: asterisk: ACL not respected on SIP INVITE (AST-2009-007)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bressers, itamar, jeff
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-22 18:52:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-10-27 09:04:31 UTC 
Quoting upstream advisory AST-2009-007:

  http://downloads.asterisk.org/pub/security/AST-2009-007.html

  A missing ACL check for handling SIP INVITEs allows a device to make calls
  on networks intended to be prohibited as defined by the "deny" and "permit"
  lines in sip.conf. The ACL check for handling SIP registrations was not
  affected.

Affects all 1.6.1 versions, fixed in 1.6.1.8
Comment 1 Fedora Update System 2009-10-27 16:41:32 UTC 
asterisk-1.6.1.8-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/asterisk-1.6.1.8-1.fc11
Comment 2 Jeffrey C. Ollie 2009-10-27 16:45:22 UTC 
For F-12:

https://fedorahosted.org/rel-eng/ticket/2778
Comment 3 Fedora Update System 2009-11-16 07:31:30 UTC 
asterisk-1.6.1.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.