LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 17, 2008

Handling kernel security problems

What Red Hat and Firestar agreed to

LWN.net Weekly Edition for July 10, 2008

The current development kernel is...linux-next?

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Fedora alert FEDORA-2008-2620 (asterisk)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 7 Update: asterisk-1.4.18.1-1.fc7


Date:
    	      Fri, 21 Mar 2008 22:15:10 +0000


Message-ID:
    	      <200803212219.m2LMJXCe021060@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-2620
2008-03-21 21:42:01
--------------------------------------------------------------------------------

Name        : asterisk
Product     : Fedora 7
Version     : 1.4.18.1
Release     : 1.fc7
URL         : http://www.asterisk.org/
Summary     : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

--------------------------------------------------------------------------------
Update Information:

Update to 1.4.18.1 plus another patch to fix some security issues.
AST-2008-002 details two buffer overflows that were discovered in  RTP codec
payload type handling.  *
http://downloads.digium.com/pub/security/AST-2008-002.pdf  * All users of SIP in
Asterisk 1.4 and 1.6 are affected.    AST-2008-003 details a vulnerability which
allows an attacker to  bypass SIP authentication and to make a call into the
context  specified in the general section of sip.conf.  *
http://downloads.digium.com/pub/security/AST-2008-003.pdf  * All users of SIP in
Asterisk 1.0, 1.2, 1.4, or 1.6 are affected.    AST-2008-005 details a problem
in the way manager IDs are caculated.  *
http://downloads.digium.com/pub/security/AST-2008-005.pdf
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #438127 - CVE-2008-1289 asterisk: Two buffer overflows in RTP Codec Payload Handling
(AST-2008-002)
        https://bugzilla.redhat.com/show_bug.cgi?id=438127
  [ 2 ] Bug #438129 - CVE-2008-1332 asterisk: Unauthenticated calls allowed from SIP channel driver
(AST-2008-003)
        https://bugzilla.redhat.com/show_bug.cgi?id=438129
  [ 3 ] Bug #438131 - CVE-2008-1390 asterisk: HTTP Manager ID is predictable (AST-2008-005)
        https://bugzilla.redhat.com/show_bug.cgi?id=438131
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update asterisk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.