Joined: 12 May 2004
|Posted: Sat May 02, 2009 6:26 pm Post subject: [ GLSA 200905-01 ] Asterisk: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: Asterisk: Multiple vulnerabilities (GLSA 200905-01)
Date: May 02, 2009
Bug(s): #218966, #224835, #232696, #232698, #237476, #250748, #254304
Multiple vulnerabilities have been found in Asterisk allowing for Denial of
Service and username disclosure.
Asterisk is an open source telephony engine and toolkit.
Vulnerable: < 1.2.32
Unaffected: >= 1.2.32
Architectures: All supported architectures
Multiple vulnerabilities have been discovered in the IAX2 channel
driver when performing the 3-way handshake (CVE-2008-1897), when
handling a large number of POKE requests (CVE-2008-3263), when handling
authentication attempts (CVE-2008-5558) and when handling firmware
download (FWDOWNL) requests (CVE-2008-3264). Asterisk does also not
correctly handle SIP INVITE messages that lack a "From" header
(CVE-2008-2119), and responds differently to a failed login attempt
depending on whether the user account exists (CVE-2008-3903,
Remote unauthenticated attackers could send specially crafted data to
Asterisk, possibly resulting in a Denial of Service via a daemon crash,
call-number exhaustion, CPU or traffic consumption. Remote
unauthenticated attackers could furthermore enumerate valid usernames
to facilitate brute force login attempts.
There is no known workaround at this time.
All Asterisk users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.32"
Last edited by GLSA on Tue Jan 26, 2010 4:28 am; edited 2 times in total