Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process. Upstream patch: http://downloads.asterisk.org/pub/security/AST-2014-006-11.diff External references: https://issues.asterisk.org/jira/browse/ASTERISK-23609 http://downloads.digium.com/pub/security/AST-2014-006.html
Created asterisk tracking bugs for this issue: Affects: fedora-all [bug 1109280]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.