[Fedora] Schwachstelle in Asterisk – FEDORA-2009-10861

[Fedora] Schwachstelle in Asterisk - FEDORA-2009-10861

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Fehlende ACL Pruefung bei SIP INVITE Nachrichten

Asterisk fuehrt bei SIP INVITE Nachrichten keine Pruefung der ACL durch.
Dadurch koennen Anrufe von Netzwerken aus getaetigt werden, fuer die dies
per ACL verboten ist.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket asterisk

Fedora 11

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00588.html

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

– ——————————————————————————–
Fedora Update Notification
FEDORA-2009-10861
2009-10-29 02:34:21
– ——————————————————————————–

Name : asterisk
Product : Fedora 11
Version : 1.6.1.8
Release : 1.fc11
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.

– ——————————————————————————–
Update Information:

* Tue Oct 27 2009 Jeffrey C. Ollie – 1.6.1.8-1 – Update to
1.6.1.8 to fix bug 531199: – –
http://downloads.asterisk.org/pub/security/AST-2009-007.html – – A missing ACL
check for handling SIP INVITEs allows a device to make – calls on networks
intended to be prohibited as defined by the “deny” – and “permit” lines in
sip.conf. The ACL check for handling SIP – registrations was not affected.
Other bugs were handled by previous updates, including them here so that bodhi
will close them out.
– ——————————————————————————–
ChangeLog:

* Tue Oct 27 2009 Jeffrey C. Ollie – 1.6.1.8-1
– – Update to 1.6.1.8 to fix bug 531199:
– –
– – http://downloads.asterisk.org/pub/security/AST-2009-007.html
– –
– – A missing ACL check for handling SIP INVITEs allows a device to make
– – calls on networks intended to be prohibited as defined by the “deny”
– – and “permit” lines in sip.conf. The ACL check for handling SIP
– – registrations was not affected.
* Sat Oct 24 2009 Jeffrey C. Ollie – 1.6.1.7-0.4.rc2
– – Add an AST_EXTRA_ARGS option to the init script
– – have the init script to cd to /var/spool/asterisk to prevent annoying message
* Sat Oct 24 2009 Jeffrey C. Ollie – 1.6.1.7-0.3.rc2
– – Compile against gmime 2.2 instead of gmime 2.4 because the patch to convert the API calls from 2.2 to 2.4 caused crashes.
* Fri Oct 9 2009 Jeffrey C. Ollie – 1.6.1.7-0.2.rc2
– – Require latex2html used in static-http documents
* Thu Oct 8 2009 Jeffrey C. Ollie – 1.6.1.7-0.1.rc2
– – Update to 1.6.1.7-rc2
– – Merge firmware subpackage back into main package
– – No longer need to strip tarball since it no longer contains any non-free items
– – Tighten up permissions/ownership of config files.
– – Fix up some more paths
– – Drop unneeded patch
* Wed Sep 9 2009 Jeffrey C. Ollie – 1.6.1.6-2
– – Enable building of API docs.
– – Depend on version 1.2 or newer of speex
* Sun Sep 6 2009 Jeffrey C. Ollie – 1.6.1.6-1
– – Update to 1.6.1.6
– – Drop patches that are too troublesome to maintain anymore or have been integrated upstream.
* Tue Sep 1 2009 Jeffrey C. Ollie – 1.6.1-0.26.rc1
– – Add a patch from Quentin Armitage and rebuld.
* Fri Aug 21 2009 Tomas Mraz – 1.6.1-0.25.rc1
– – rebuilt with new openssl
* Fri Jul 24 2009 Fedora Release Engineering – 1.6.1-0.24.rc1
– – Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
– ——————————————————————————–
References:

[ 1 ] Bug #531199 – asterisk: ACL not respected on SIP INVITE (AST-2009-007)
https://bugzilla.redhat.com/show_bug.cgi?id=531199
– ——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update asterisk’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
– ——————————————————————————–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLAqWWk0kIxZMiiQ8RAs4DAJ0RoyvDrcC7lZD7RN1TYzTzXArm/gCfbyHg
5sZkibkvaKb2BQcFuU+dTpE=
=yB36
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben