Title: Asterisk: Multiple vulnerabilities ([glsa=201209-15]GLSA 201209-15[/glsa])
Severity: normal
Exploitable: remote
Date: September 26, 2012
Bug(s): #425050, #433750
ID: 201209-15
Synopsis
Multiple vulnerabilities have been found in Asterisk, the worst of
which may allow execution of arbitrary code.
Background
Asterisk is an open source telephony engine and toolkit.
Affected Packages
Package: net-misc/asterisk
Vulnerable: < 1.8.15.1
Unaffected: >= 1.8.15.1
Architectures: All supported architectures
Description
Multiple vulnerabilities have been found in Asterisk:
- An error in manager.c allows shell access (CVE-2012-2186).
- An error in Asterisk could cause all RTP ports to be exhausted
(CVE-2012-3812). - A double-free error could occur when two parties attempt to
manipulate the same voicemail account simultaneously (CVE-2012-3863). - Asterisk does not properly implement certain ACL rules
(CVE-2012-4737).
Impact
A remote, authenticated attacker could execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, or bypass
outbound call restrictions.
Workaround
There is no known workaround at this time.
Resolution
All Asterisk users should upgrade to the latest version:
Code: Select all
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.15.1"
References
CVE-2012-2186
CVE-2012-3812
CVE-2012-3863
CVE-2012-4737