Description of problem:
The Asterisk packages available in EPEL are vulnerable to multiple security vulnerabilities dating back to February 2013. The packages need to be updated to pick up the fixes for these. The current Asterisk version on the 1.8 branch is 18.104.22.168.
Version-Release number of selected component (if applicable):
The following security vulnerabilities affect the version of Asterisk currently included in EPEL:
> http://downloads.asterisk.org/pub/security/AST-2013-002.html - [Major] Denial of Service in HTTP server
> http://downloads.asterisk.org/pub/security/AST-2013-003.html - [Moderate] Username disclosure in SIP channel driver
> http://downloads.asterisk.org/pub/security/AST-2013-004.html - [Major] Remote Crash From Late Arriving SIP ACK With SDP
> http://downloads.asterisk.org/pub/security/AST-2013-005.html - [Major] Remote Crash when Invalid SDP is sent in SIP Request
> http://downloads.asterisk.org/pub/security/AST-2013-006.html - [Major] Buffer Overflow when receiving odd length 16 bit SMS message
> http://downloads.asterisk.org/pub/security/AST-2013-007.html - [Minor] Asterisk Manager User Dialplan Permission Escalation
Looks like there's already multiple open bugs on this problem and it's been ignored since at least the end of March :|
Resolved by 1074829
That one specific instance was. The overall issue appears to have actually been bug 1058057.
But yeah, the point is I think this is fixed... although I tried to build 22.214.171.124 before it got posted and wound up having to rebuild a newer version of dahdi-tools to go with it, and I don't see the newer dahdi-tools in EPEL's repo, so I'm wondering how they built it without it? :-)
asterisk-126.96.36.199-1.el6 has been submitted as an update for Fedora EPEL 6.
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing asterisk-188.8.131.52-1.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
asterisk-184.108.40.206-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.