Gentoo: GLSA-201006-20: Asterisk: Multiple vulnerabilities
Summary
Multiple vulnerabilities have been reported in Asterisk:
* Nick Baggott reported that Asterisk does not properly process
overly long ASCII strings in various packets (CVE-2009-2726).
* Noam Rathaus and Blake Cornell reported a flaw in the IAX2 protocol
implementation (CVE-2009-2346).
* amorsen reported an input processing error in the RTP protocol
implementation (CVE-2009-4055).
* Patrik Karlsson reported an information disclosure flaw related to
the REGISTER message (CVE-2009-3727).
* A vulnerability was found in the bundled Prototype JavaScript
library, related to AJAX calls (CVE-2008-7220).
Resolution
All Asterisk users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.2.37"
NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since January 5, 2010. It is likely that your system is
already no longer affected by this issue.
References
[ 1 ] CVE-2009-2726 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2726 [ 2 ] CVE-2009-2346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2346 [ 3 ] CVE-2009-4055 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4055 [ 4 ] CVE-2009-3727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3727 [ 5 ] CVE-2008-7220 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7220
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201006-20
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
Synopsis
Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks.
Background
Asterisk is an open source telephony engine and toolkit.
Affected Packages
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/asterisk < 1.2.37 >= 1.2.37
Impact
===== A remote attacker could exploit these vulnerabilities by sending a specially crafted package, possibly causing a Denial of Service condition, or resulting in information disclosure.
Workaround
There is no known workaround at this time.