AST-2012-013 When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer. This was originally reported by "Alan Frisch" http://downloads.asterisk.org/pub/security/AST-2012-013.pdf http://downloads.asterisk.org/pub/security/AST-2012-013.1.8.diff http://downloads.asterisk.org/pub/security/AST-2012-013.10.diff
Created asterisk tracking bugs for this issue Affects: fedora-16 [bug 853527]
Created asterisk tracking bugs for this issue Affects: fedora-17 [bug 853528]
Created asterisk tracking bugs for this issue Affects: epel-6 [bug 853531]
Please note: the links to the diffs are currently 404, emailed upstream.
asterisk-1.8.18.0-1.el6 has been pushed to the Epel 6 repository. If problems still persist, please make note of it in this bug report. asterisk-1.8.18.0-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. asterisk-10.10.0-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.