Fedora 20 : asterisk-11.8.1-1.fc20 (2014-3762)

high Nessus Plugin ID 73141

Synopsis

The remote Fedora host is missing a security update.

Description

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.15, 11.6, and Asterisk 1.8, 11, and 12. The available security releases are released as versions 1.8.15-cert5, 11.6-cert2, 1.8.26.1, 11.8.1, and 12.1.1.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolve the following issues :

- AST-2014-001: Stack overflow in HTTP processing of Cookie headers.

Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack.

Another vulnerability along similar lines is any HTTP request with a ridiculous number of headers in the request could exhaust system memory.

- AST-2014-002: chan_sip: Exit early on bad session timers request

This change allows chan_sip to avoid creation of the channel and consumption of associated file descriptors altogether if the inbound request is going to be rejected anyway.

Additionally, the release of 12.1.1 resolves the following issue :

- AST-2014-003: res_pjsip: When handling 401/407 responses don't assume a request will have an endpoint.

This change removes the assumption that an outgoing request will always have an endpoint and makes the authenticate_qualify option work once again.

Finally, a security advisory, AST-2014-004, was released for a vulnerability fixed in Asterisk 12.1.0. Users of Asterisk 12.0.0 are encouraged to upgrade to 12.1.1 to resolve both vulnerabilities.

These issues and their resolutions are described in the security advisories.

For more information about the details of these vulnerabilities, please read security advisories AST-2014-001, AST-2014-002, AST-2014-003, and AST-2014-004, which were released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs :

http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-1.8.15-cert5 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-1.8.26.1 http://downloads.asterisk.org/pub/telephony/certified-asterisk/release s/ChangeLog-11.6-cert2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-11.8.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLo g-12.1.1

The security advisories are available at :

- http://downloads.asterisk.org/pub/security/AST-2014-001.
pdf

- http://downloads.asterisk.org/pub/security/AST-2014-00 2.pdf

- http://downloads.asterisk.org/pub/security/AST-2014-00 3.pdf

- http://downloads.asterisk.org/pub/security/AST-2014-00 4.pdf The Asterisk Development Team has announced the release of Asterisk 11.8.0. This release is available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.8.0 resolves several issues reported by the community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release :

Bugs fixed in this release :

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected asterisk package.

See Also

http://downloads.asterisk.org/pub/security/AST-2014-001.pdf

http://downloads.asterisk.org/pub/security/AST-2014-002.pdf

http://downloads.asterisk.org/pub/security/AST-2014-003.pdf

http://downloads.asterisk.org/pub/security/AST-2014-004.pdf

http://downloads.asterisk.org/pub/telephony/asterisk/

http://downloads.asterisk.org/pub/telephony/asterisk/releases/

http://www.nessus.org/u?68336dff

http://www.nessus.org/u?cbb290c2

http://www.nessus.org/u?4a9e33d8

http://www.nessus.org/u?3d221303

http://www.nessus.org/u?fd1dec6c

https://bugzilla.redhat.com/show_bug.cgi?id=1074825

https://bugzilla.redhat.com/show_bug.cgi?id=1074827

http://www.nessus.org/u?52b913c8

Plugin Details

Severity: High

ID: 73141

File Name: fedora_2014-3762.nasl

Version: 1.15

Type: local

Agent: unix

Published: 3/22/2014

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:20, p-cpe:/a:fedoraproject:fedora:asterisk

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/12/2014

Vulnerability Publication Date: 4/18/2014

Reference Information

CVE: CVE-2014-2286, CVE-2014-2287, CVE-2014-2288, CVE-2014-2289

BID: 66093, 66094

FEDORA: 2014-3762