Univention Bugzilla – Bug 37738
asterisk: Multiple issues (4.1)
Last modified: 2016-10-05 12:46:37 CEST
(This was initially only in unmaintained (https://forge.univention.org/bugzilla/show_bug.cgi?id=36960#c4), but asterisk has been added to maintained in UCS 4.0-1): Remote crash when handling out of call message in certain dialplan configurations (CVE-2014-6610) Asterisk Manager User Unauthorized Shell Access (CVE-2014-4046) Exhaustion of Allowed Concurrent HTTP Connections (CVE-2014-4047) Stack Overflow in HTTP Processing of Cookie Headers (CVE-2014-2286) Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers (CVE-2014-2287) Mixed IP address families in access control lists may permit unwanted traffic (CVE-2014-8412) High call load may result in hung channels in ConfBridge (CVE-2014-8414) Permission escalation through ConfBridge actions/dialplan functions (CVE-2014-8417) AMI permission escalation through DB dialplan function (CVE-2014-8418)
(In reply to Moritz Muehlenhoff from comment #0) > Remote crash when handling out of call message in certain dialplan > configurations (CVE-2014-6610) http://downloads.asterisk.org/pub/security/AST-2014-010.html > Asterisk Manager User Unauthorized Shell Access (CVE-2014-4046) http://downloads.asterisk.org/pub/security/AST-2014-006.html > Exhaustion of Allowed Concurrent HTTP Connections (CVE-2014-4047) http://downloads.asterisk.org/pub/security/AST-2014-007.html > Stack Overflow in HTTP Processing of Cookie Headers (CVE-2014-2286) http://downloads.asterisk.org/pub/security/AST-2014-001.html > Denial of Service Through File Descriptor Exhaustion with chan_sip > Session-Timers (CVE-2014-2287) http://downloads.asterisk.org/pub/security/AST-2014-002.html > Mixed IP address families in access control lists may permit unwanted > traffic (CVE-2014-8412) http://downloads.asterisk.org/pub/security/AST-2014-012.html > High call load may result in hung channels in ConfBridge (CVE-2014-8414) http://downloads.asterisk.org/pub/security/AST-2014-014.html > Permission escalation through ConfBridge actions/dialplan functions > (CVE-2014-8417) http://downloads.asterisk.org/pub/security/AST-2014-017.html > AMI permission escalation through DB dialplan function (CVE-2014-8418) http://downloads.asterisk.org/pub/security/AST-2014-018.html
These issues have been moved to Bug #39285 because they had been classified as monor issues: > > Remote crash when handling out of call message in certain dialplan > > configurations (CVE-2014-6610) > http://downloads.asterisk.org/pub/security/AST-2014-010.html > > Asterisk Manager User Unauthorized Shell Access (CVE-2014-4046) > http://downloads.asterisk.org/pub/security/AST-2014-006.html > > Permission escalation through ConfBridge actions/dialplan functions > > (CVE-2014-8417) > http://downloads.asterisk.org/pub/security/AST-2014-017.html > > AMI permission escalation through DB dialplan function (CVE-2014-8418) > http://downloads.asterisk.org/pub/security/AST-2014-018.html Theses have been classified as moderate issues and should be fixed: > > Exhaustion of Allowed Concurrent HTTP Connections (CVE-2014-4047) > http://downloads.asterisk.org/pub/security/AST-2014-007.html > > Stack Overflow in HTTP Processing of Cookie Headers (CVE-2014-2286) > http://downloads.asterisk.org/pub/security/AST-2014-001.html > > Denial of Service Through File Descriptor Exhaustion with chan_sip > > Session-Timers (CVE-2014-2287) > http://downloads.asterisk.org/pub/security/AST-2014-002.html > > Mixed IP address families in access control lists may permit unwanted > > traffic (CVE-2014-8412) > http://downloads.asterisk.org/pub/security/AST-2014-012.html > > High call load may result in hung channels in ConfBridge (CVE-2014-8414) > http://downloads.asterisk.org/pub/security/AST-2014-014.html
(In reply to Stefan Gohmann from comment #2) > Theses have been classified as moderate issues and should be fixed: > > > > Exhaustion of Allowed Concurrent HTTP Connections (CVE-2014-4047) > > http://downloads.asterisk.org/pub/security/AST-2014-007.html > > > > Stack Overflow in HTTP Processing of Cookie Headers (CVE-2014-2286) > > http://downloads.asterisk.org/pub/security/AST-2014-001.html > > > > Denial of Service Through File Descriptor Exhaustion with chan_sip > > > Session-Timers (CVE-2014-2287) > > http://downloads.asterisk.org/pub/security/AST-2014-002.html > > > > Mixed IP address families in access control lists may permit unwanted > > > traffic (CVE-2014-8412) > > http://downloads.asterisk.org/pub/security/AST-2014-012.html > > > > High call load may result in hung channels in ConfBridge (CVE-2014-8414) > > http://downloads.asterisk.org/pub/security/AST-2014-014.html We don't have for all of theses issues backported patches for Asterisk 1.8. Instead of backporting the issues manually, I would suggest to upgrade to Asterisk 11 from wheezy-backports with UCS 4.1: https://packages.debian.org/wheezy-backports/asterisk
asterisk 11.13 from wheezy backports has been build. The security issues have been fixed in the new version. Changelog: r63335
I subscribed debian-backports-announce@lists.debian.org to monitor sec-updates for backports.
Tests: OK Issues: Fixed Changelog: OK
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".