-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:078 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : asterisk Date : January 16, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in asterisk: Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request (CVE-2014-2286). An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly (CVE-2014-2287). The updated packages has been upgraded to the 11.8.1 version which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2287 http://downloads.asterisk.org/pub/security/AST-2014-001.html http://downloads.asterisk.org/pub/security/AST-2014-002.html http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.8.1-summary.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 874dc48147428760673777cf9f0883c1 mbs1/x86_64/asterisk-11.8.1-1.1.mbs1.x86_64.rpm 754c24b57a249f5a811de9ea42491b54 mbs1/x86_64/asterisk-addons-11.8.1-1.1.mbs1.x86_64.rpm e3f76b59108f69d490ad15b0714d0199 mbs1/x86_64/asterisk-devel-11.8.1-1.1.mbs1.x86_64.rpm f74de033fc0f8253c1d9b8a2789fb527 mbs1/x86_64/asterisk-firmware-11.8.1-1.1.mbs1.x86_64.rpm 55129ac6c361daaef8da67ba7be0459c mbs1/x86_64/asterisk-gui-11.8.1-1.1.mbs1.x86_64.rpm 14d0511440107e30ae336ecdca0be59b mbs1/x86_64/asterisk-plugins-alsa-11.8.1-1.1.mbs1.x86_64.rpm 41e1faffe1723876b0c923e2fe6edd33 mbs1/x86_64/asterisk-plugins-calendar-11.8.1-1.1.mbs1.x86_64.rpm bf12035dfc03a04491da69c75b60cd12 mbs1/x86_64/asterisk-plugins-cel-11.8.1-1.1.mbs1.x86_64.rpm 95d8343789fecaffbe7c0e48f7f7dd52 mbs1/x86_64/asterisk-plugins-corosync-11.8.1-1.1.mbs1.x86_64.rpm b2abd8598301c972c87d43f231a3f38b mbs1/x86_64/asterisk-plugins-curl-11.8.1-1.1.mbs1.x86_64.rpm 283283874e245047cfdbc1942641f6d7 mbs1/x86_64/asterisk-plugins-dahdi-11.8.1-1.1.mbs1.x86_64.rpm def694a9a67a6941eb8000309a3d8714 mbs1/x86_64/asterisk-plugins-fax-11.8.1-1.1.mbs1.x86_64.rpm 9873bafb3e6b6ac8f120681f613f3cc3 mbs1/x86_64/asterisk-plugins-festival-11.8.1-1.1.mbs1.x86_64.rpm 15179ea325b192805303066fe871036e mbs1/x86_64/asterisk-plugins-ices-11.8.1-1.1.mbs1.x86_64.rpm ba2c090fba82b88b1ca4df296bd2481b mbs1/x86_64/asterisk-plugins-jabber-11.8.1-1.1.mbs1.x86_64.rpm 7cc400611598886a409fb8c88ef2c1a8 mbs1/x86_64/asterisk-plugins-jack-11.8.1-1.1.mbs1.x86_64.rpm c2154c8cc9dc2e97fe72b6813db49f6f mbs1/x86_64/asterisk-plugins-ldap-11.8.1-1.1.mbs1.x86_64.rpm 9d236fe1a49ce75c2e24e45a4909fb37 mbs1/x86_64/asterisk-plugins-lua-11.8.1-1.1.mbs1.x86_64.rpm c77efd21f409fdccdac885250401bf5b mbs1/x86_64/asterisk-plugins-minivm-11.8.1-1.1.mbs1.x86_64.rpm 854026c676dc1b1d7ef5a9a893be9577 mbs1/x86_64/asterisk-plugins-mobile-11.8.1-1.1.mbs1.x86_64.rpm 94ea8dfd0ec5c49934f9b41a05555e9e mbs1/x86_64/asterisk-plugins-mp3-11.8.1-1.1.mbs1.x86_64.rpm c1fabd448cd867adee2ca3a76dde6bfb mbs1/x86_64/asterisk-plugins-mysql-11.8.1-1.1.mbs1.x86_64.rpm 16fdb65e155295275c8030d5a49cf405 mbs1/x86_64/asterisk-plugins-ooh323-11.8.1-1.1.mbs1.x86_64.rpm 04ceda6e0f9e2cc6667ad1da79b293c4 mbs1/x86_64/asterisk-plugins-osp-11.8.1-1.1.mbs1.x86_64.rpm 7d6cabe58838c7fc78591e4be9e56f2a mbs1/x86_64/asterisk-plugins-oss-11.8.1-1.1.mbs1.x86_64.rpm c1e60796fb9c8f7f586a6442efd8451a mbs1/x86_64/asterisk-plugins-pgsql-11.8.1-1.1.mbs1.x86_64.rpm c906a6deb3b0a7175170c623857400a6 mbs1/x86_64/asterisk-plugins-pktccops-11.8.1-1.1.mbs1.x86_64.rpm 9755b277eaea6189fc748f476fb3b7b7 mbs1/x86_64/asterisk-plugins-portaudio-11.8.1-1.1.mbs1.x86_64.rpm 10dc20a29f0e93c535bd6ae2f5d7bd3f mbs1/x86_64/asterisk-plugins-radius-11.8.1-1.1.mbs1.x86_64.rpm ce94490f0722222165f39dd080983906 mbs1/x86_64/asterisk-plugins-saycountpl-11.8.1-1.1.mbs1.x86_64.rpm aede3e915a106ed25e7a34130d8661d8 mbs1/x86_64/asterisk-plugins-skinny-11.8.1-1.1.mbs1.x86_64.rpm a5a9bf5903f40542a71bd9ea7dde8590 mbs1/x86_64/asterisk-plugins-snmp-11.8.1-1.1.mbs1.x86_64.rpm bfa50fb63a88f8f86d5aefdedc683c10 mbs1/x86_64/asterisk-plugins-speex-11.8.1-1.1.mbs1.x86_64.rpm af665709f0f799289a8f4dcc3b7d2e3a mbs1/x86_64/asterisk-plugins-sqlite-11.8.1-1.1.mbs1.x86_64.rpm 62488f0a52ab46c03d6afb3028085c04 mbs1/x86_64/asterisk-plugins-tds-11.8.1-1.1.mbs1.x86_64.rpm deb26eb56468a4a6563c6356820cd908 mbs1/x86_64/asterisk-plugins-unistim-11.8.1-1.1.mbs1.x86_64.rpm 37f8d70a41006d36e4d7b4fdf818284d mbs1/x86_64/asterisk-plugins-voicemail-11.8.1-1.1.mbs1.x86_64.rpm 279a002fa68d85b4c6dd511a613cd7ef mbs1/x86_64/asterisk-plugins-voicemail-imap-11.8.1-1.1.mbs1.x86_64.rpm 8a60a940674e0d44812e68957ed28e24 mbs1/x86_64/asterisk-plugins-voicemail-plain-11.8.1-1.1.mbs1.x86_64.rpm f276cf7f4755f67438e42b1990eb9ad1 mbs1/x86_64/lib64asteriskssl1-11.8.1-1.1.mbs1.x86_64.rpm bff672404f7226e39771ea197ae43111 mbs1/SRPMS/asterisk-11.8.1-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD4DBQFTTmmZmqjQ0CJFipgRAgZhAJiZvnPkmS1CodQe2SU6N9KH7gqrAKDexk/g PoAfzdBLpkgcjjZNAgjVGA== =81VZ -----END PGP SIGNATURE-----