Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-2416 asterisk: Crash by processing certain UPDATE requests in SIP channel driver (AST-2012-006)|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||itamar, jeff, lmadsen, rbryant|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||815777, 815778|
Description Jan Lieskovsky 2012-04-24 09:41:15 EDT
A denial of service (asterisk crash) was found in the way Session Initiation Protocol (SIP) channel implementation (SIP driver) of the Asterisk, an open-source telephony toolkit processed certain SIP UPDATE requests, when the 'trustrpid' option was enabled. A remote attacker, able to properly time the SIP update request arrival, [it to come within (after call was terminated and associated channel object has been destroyed, but before SIP dialog associated with the call has been destroyed) interval] could use this flaw to cause asterisk executable crash. Upstream advisory: http://downloads.asterisk.org/pub/security/AST-2012-006.html Upstream patch (against the v1.8 branch): http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff Upstream patch (against the v1.10 branch): http://downloads.asterisk.org/pub/security/AST-2012-006-1.8.diff Upstream ticket: https://issues.asterisk.org/jira/browse/ASTERISK-19770 CVE assignment: http://www.openwall.com/lists/oss-security/2012/04/23/5
Comment 1 Jan Lieskovsky 2012-04-24 09:43:26 EDT
This issue affects the versions of the asterisk package, as shipped with Fedora release of 15 and 16. Please schedule an update. -- This issue affects the version of the asterisk package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-04-24 09:46:13 EDT
Created asterisk tracking bugs for this issue Affects: fedora-all [bug 815777] Affects: epel-6 [bug 815778]
Comment 3 Fedora Update System 2012-05-03 18:53:35 EDT
asterisk-184.108.40.206-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-05-04 16:29:39 EDT
asterisk-220.127.116.11-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-05-04 18:51:54 EDT
asterisk-10.3.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-05-11 18:02:43 EDT
asterisk-18.104.22.168-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.