1044204 – Asterisk needs to be updated to pick up fixes to multiple security vulnerabilities

Bug 1044204 - Asterisk needs to be updated to pick up fixes to multiple security vulnerabilities

Summary: Asterisk needs to be updated to pick up fixes to multiple security vulnerabil...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	asterisk
Sub Component:
Version:	el6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Jon Disnard
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	928780 1002046 1043923
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-17 22:03 UTC by Dave Miller
Modified:	2014-12-11 06:32 UTC (History)
CC List:	5 users (show)
Fixed In Version:	asterisk-1.8.32.1-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-12-11 06:32:39 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Dave Miller 2013-12-17 22:03:17 UTC

Description of problem:
The Asterisk packages available in EPEL are vulnerable to multiple security vulnerabilities dating back to February 2013.  The packages need to be updated to pick up the fixes for these.  The current Asterisk version on the 1.8 branch is 1.8.25.0.

Version-Release number of selected component (if applicable):
asterisk-1.8.20.0-1.el6.x86_64

The following security vulnerabilities affect the version of Asterisk currently included in EPEL:

> http://downloads.asterisk.org/pub/security/AST-2013-002.html - [Major] Denial of Service in HTTP server 
> http://downloads.asterisk.org/pub/security/AST-2013-003.html - [Moderate] Username disclosure in SIP channel driver
> http://downloads.asterisk.org/pub/security/AST-2013-004.html - [Major] Remote Crash From Late Arriving SIP ACK With SDP
> http://downloads.asterisk.org/pub/security/AST-2013-005.html - [Major] Remote Crash when Invalid SDP is sent in SIP Request
> http://downloads.asterisk.org/pub/security/AST-2013-006.html - [Major] Buffer Overflow when receiving odd length 16 bit SMS message
> http://downloads.asterisk.org/pub/security/AST-2013-007.html - [Minor] Asterisk Manager User Dialplan Permission Escalation

Comment 1 Dave Miller 2013-12-18 01:32:18 UTC

Looks like there's already multiple open bugs on this problem and it's been ignored since at least the end of March :|

Comment 2 Phil Anderson 2014-04-07 21:09:15 UTC

Resolved by 1074829

Comment 3 Dave Miller 2014-04-07 22:18:33 UTC

That one specific instance was.  The overall issue appears to have actually been bug 1058057.

Comment 4 Dave Miller 2014-04-07 22:21:42 UTC

But yeah, the point is I think this is fixed...  although I tried to build 1.8.26.1 before it got posted and wound up having to rebuild a newer version of dahdi-tools to go with it, and I don't see the newer dahdi-tools in EPEL's repo, so I'm wondering how they built it without it? :-)

Comment 5 Fedora Update System 2014-11-22 14:33:30 UTC

asterisk-1.8.32.1-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/asterisk-1.8.32.1-1.el6

Comment 6 Fedora Update System 2014-11-24 21:19:23 UTC

Package asterisk-1.8.32.1-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing asterisk-1.8.32.1-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4243/asterisk-1.8.32.1-1.el6
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-12-11 06:32:39 UTC

asterisk-1.8.32.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.