Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 201006-20 ] Asterisk: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Fri Jun 04, 2010 7:26 am    Post subject: [ GLSA 201006-20 ] Asterisk: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: Asterisk: Multiple vulnerabilities (GLSA 201006-20)
Severity: normal
Exploitable: remote
Date: June 04, 2010
Bug(s): #281107, #283624, #284892, #295270
ID: 201006-20

Synopsis


Multiple vulnerabilities in Asterisk might allow remote attackers to cause
a Denial of Service condition, or conduct other attacks.


Background


Asterisk is an open source telephony engine and toolkit.


Affected Packages

Package: net-misc/asterisk
Vulnerable: < 1.2.37
Unaffected: >= 1.2.37
Architectures: All supported architectures


Description


Multiple vulnerabilities have been reported in Asterisk:
  • Nick Baggott reported that Asterisk does not properly process
    overly long ASCII strings in various packets (CVE-2009-2726).
  • Noam Rathaus and Blake Cornell reported a flaw in the IAX2 protocol
    implementation (CVE-2009-2346).
  • amorsen reported an input
    processing error in the RTP protocol implementation
    (CVE-2009-4055).
  • Patrik Karlsson reported an information
    disclosure flaw related to the REGISTER message (CVE-2009-3727).
  • A vulnerability was found in the bundled Prototype JavaScript
    library, related to AJAX calls (CVE-2008-7220).


Impact


A remote attacker could exploit these vulnerabilities by sending a
specially crafted package, possibly causing a Denial of Service
condition, or resulting in information disclosure.


Workaround


There is no known workaround at this time.


Resolution


All Asterisk users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.37"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since January 5, 2010. It is likely that your system is
already no longer affected by this issue.


References

CVE-2009-2726
CVE-2009-2346
CVE-2009-4055
CVE-2009-3727
CVE-2008-7220
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum