GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Jun 21, 2012 1:26 am Post subject: [ GLSA 201206-05 ] Asterisk: Multiple vulnerabilities |
 |
|
Gentoo Linux Security Advisory
Title: Asterisk: Multiple vulnerabilities (GLSA 201206-05)
Severity: normal
Exploitable: remote
Date: June 21, 2012
Bug(s): #413353, #418189, #418191
ID: 201206-05
Synopsis
Multiple vulnerabilities in Asterisk might allow remote attackers
to execute arbitrary code.
Background
Asterisk is an open source telephony engine and toolkit.
Affected Packages
Package: net-misc/asterisk
Vulnerable: < 1.8.12.1
Unaffected: >= 1.8.12.1
Architectures: All supported architectures
Description
Multiple vulnerabilities have been found in Asterisk: - An error in manager.c allows shell access through the MixMonitor
application, GetVar, or Status (CVE-2012-2414).
- An error in chan_skinny.c could cause a heap-based buffer overflow
(CVE-2012-2415).
- An error in chan_sip.c prevents Asterisk from checking if a channel
exists before connected line updates (CVE-2012-2416).
- An error in chan_iax2.c may cause an invalid pointer to be called
(CVE-2012-2947).
- chan_skinny.c contains a NULL pointer dereference (CVE-2012-2948).
Impact
A remote attacker could execute arbitrary code with the privileges of
the process or cause a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All Asterisk users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.12.1"
|
References
CVE-2012-2414
CVE-2012-2415
CVE-2012-2416
CVE-2012-2947
CVE-2012-2948 |
|
News & Announcements
