—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2011-4063 – Schwachstelle in Asterisk
In Asterisk Version 1.8.x und 10.x in Datei chan_sip.c fuehrt eine nicht
initialisierte Variable bei der Verarbeitung von Anfragen zum Absturz
des Systems. Damit ist es einem entfernten, authentifizierten, Angreifer
moeglich, durch eine speziell konstruierte Anfrage den Dienst zum
Absturz zu bringen (Denial of Service-Angriff).
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket asterisk
Fedora 15
Fedora 16
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Timo Schulz
– —
Timo Schulz, M.Sc. (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen: https://www.cert.dfn.de/autowarn
– —————————————————————————=
– —–
Fedora Update Notification
FEDORA-2011-14480
2011-10-18 07:13:58
– —————————————————————————=
– —–
Name : asterisk
Product : Fedora 16
Version : 1.8.7.1
Release : 1.fc16
URL : http://www.asterisk.org/
Summary : The Open Source PBX
Description :
Asterisk is a complete PBX in software. It runs on Linux and provides
all of the features you would expect from a PBX and more. Asterisk
does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively
inexpensive hardware.
– —————————————————————————=
– —–
Update Information:
The Asterisk Development Team has announced a security release for Asterisk=
1.8.
The available security release is released as version 1.8.7.1.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing whic=
h can
lead to a remotely exploitable crash:
Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
The issue and resolution is described in the AST-2011-012 security
advisory.
For more information about the details of this vulnerability, please read t=
he
security advisory AST-2011-012, which was released at the same time as this
announcement.
For a full list of changes in the current release, please see the ChangeLog:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8=
.7.1
Security advisory AST-2011-012 is available at:
http://downloads.asterisk.org/pub/security/AST-2011-012.pdf
– —————————————————————————=
– —–
ChangeLog:
* Mon Oct 17 2011 Jeffrey C. Ollie
– – The Asterisk Development Team has announced a security release for Asteri=
sk 1.8.
– – The available security release is released as version 1.8.7.1.
– –
– – This release is available for immediate download at
– – http://downloads.asterisk.org/pub/telephony/asterisk/releases
– –
– – The release of Asterisk 1.8.7.1 resolves an issue with SIP URI parsing wh=
ich can
– – lead to a remotely exploitable crash:
– –
– – Remote Crash Vulnerability in SIP channel driver (AST-2011-012)
– –
– – The issue and resolution is described in the AST-2011-012 security
– – advisory.
– –
– – For more information about the details of this vulnerability, please read=
the
– – security advisory AST-2011-012, which was released at the same time as th=
is
– – announcement.
– –
– – For a full list of changes in the current release, please see the ChangeL=
og:
– –
– – http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1=
.8.7.1
– —————————————————————————=
– —–
References:
[ 1 ] Bug #746817 – CVE-2011-4063 asterisk: remote crash in SIP channel d=
river (AST-2011-012)
https://bugzilla.redhat.com/show_bug.cgi?id=3D746817
– —————————————————————————=
– —–
This update can be installed with the “yum” update program. Use =
su -c ‘yum update asterisk’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on t=
he
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– —————————————————————————=
– —–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.16 (GNU/Linux)
iQEcBAEBAgAGBQJOvQFHAAoJEJtyb8U7iGZBwOcH/jHqnE1bhTOgNJ/DkM3sJ/N3
hEGX+TJIyo7kFSuRtS5JNc3hvbQmXG5uxVsOwUtR5dDRw8oOQTakuQId+wVvdTYS
PZWPTD6lyKMxDqiC+gEBOD13NqONXmdF4mFzbxlu25KuTT2xzq/sHkI/Rwq3RnHB
cemZBJ2HAoI+mjd5ODSawy3lbw29IpdtZY8JpqNo9IOTPxOMrXj2pXU/47lJtvHF
ii5U7Jw+GmrlH2q0CEB3YPxGbIblHcdQErHkyOQ7aPq8U83MRCR4xWi715s98TwD
sUw8HWb9Puy6volYq19WxCRN0PYL2U8vHCiPMXFTYP8LpIJ4P5CKKtHSifmLJA4=
=dktA
—–END PGP SIGNATURE—–
