Bug 1044204 - Asterisk needs to be updated to pick up fixes to multiple security vulnerabilities
Summary: Asterisk needs to be updated to pick up fixes to multiple security vulnerabil...
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: asterisk
Version: el6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Jon Disnard
QA Contact: Fedora Extras Quality Assurance
Depends On: 928780 1002046 1043923
TreeView+ depends on / blocked
Reported: 2013-12-17 22:03 UTC by Dave Miller
Modified: 2014-12-11 06:32 UTC (History)
5 users (show)

Fixed In Version: asterisk-
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-12-11 06:32:39 UTC
Type: Bug

Attachments (Terms of Use)

Description Dave Miller 2013-12-17 22:03:17 UTC
Description of problem:
The Asterisk packages available in EPEL are vulnerable to multiple security vulnerabilities dating back to February 2013.  The packages need to be updated to pick up the fixes for these.  The current Asterisk version on the 1.8 branch is

Version-Release number of selected component (if applicable):

The following security vulnerabilities affect the version of Asterisk currently included in EPEL:

> http://downloads.asterisk.org/pub/security/AST-2013-002.html - [Major] Denial of Service in HTTP server 
> http://downloads.asterisk.org/pub/security/AST-2013-003.html - [Moderate] Username disclosure in SIP channel driver
> http://downloads.asterisk.org/pub/security/AST-2013-004.html - [Major] Remote Crash From Late Arriving SIP ACK With SDP
> http://downloads.asterisk.org/pub/security/AST-2013-005.html - [Major] Remote Crash when Invalid SDP is sent in SIP Request
> http://downloads.asterisk.org/pub/security/AST-2013-006.html - [Major] Buffer Overflow when receiving odd length 16 bit SMS message
> http://downloads.asterisk.org/pub/security/AST-2013-007.html - [Minor] Asterisk Manager User Dialplan Permission Escalation

Comment 1 Dave Miller 2013-12-18 01:32:18 UTC
Looks like there's already multiple open bugs on this problem and it's been ignored since at least the end of March :|

Comment 2 Phil Anderson 2014-04-07 21:09:15 UTC
Resolved by 1074829

Comment 3 Dave Miller 2014-04-07 22:18:33 UTC
That one specific instance was.  The overall issue appears to have actually been bug 1058057.

Comment 4 Dave Miller 2014-04-07 22:21:42 UTC
But yeah, the point is I think this is fixed...  although I tried to build before it got posted and wound up having to rebuild a newer version of dahdi-tools to go with it, and I don't see the newer dahdi-tools in EPEL's repo, so I'm wondering how they built it without it? :-)

Comment 5 Fedora Update System 2014-11-22 14:33:30 UTC
asterisk- has been submitted as an update for Fedora EPEL 6.

Comment 6 Fedora Update System 2014-11-24 21:19:23 UTC
Package asterisk-
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing asterisk-'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-12-11 06:32:39 UTC
asterisk- has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.