Hide Forgot
The following flaw was found in Asterisk: The Asterisk HTTP server currently has a default configuration which allows the BEAST vulnerability to be exploited if the TLS functionality is enabled. This can allow a man-in-the-middle attack to decrypt data passing through it. Information on the fix: Additional configuration options have been added to Asterisk which allow configuration of the HTTP server to not be susceptible to the BEAST vulnerability. These include options to confirm the permitted ciphers, to control what TLS protocols are allowed, and to use server cipher preference order instead of client preference order. The default configuration has also been changed for the HTTP server to use a configuration which is not susceptible to the BEAST vulnerability. External References: http://downloads.asterisk.org/pub/security/AST-2016-001.html
Created asterisk tracking bugs for this issue: Affects: fedora-all [bug 1306619] Affects: epel-6 [bug 1306620]
This has been addressed with the 13.7.2 release in Rawhide, Fedora 23, and Fedora 22. I'm working on the EPEL 6 package now.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.