LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: July 18th, 2014
Linux Advisory Watch: July 13th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2014:078: asterisk Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Multiple vulnerabilities has been discovered and corrected in asterisk: Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:078
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : asterisk
 Date    : January 16, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in asterisk:
 
 Sending a HTTP request that is handled by Asterisk with a large number
 of Cookie headers could overflow the stack. You could even exhaust
 memory if you sent an unlimited number of headers in the request
 (CVE-2014-2286).
 
 An attacker can use all available file descriptors using SIP INVITE
 requests. Asterisk will respond with code 400, 420, or 422 for INVITEs
 meeting this criteria. Each INVITE meeting these conditions will leak
 a channel and several file descriptors. The file descriptors cannot
 be released without restarting Asterisk which may allow intrusion
 detection systems to be bypassed by sending the requests slowly
 (CVE-2014-2287).
 
 The updated packages has been upgraded to the 11.8.1 version which
 is not vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2286
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2287
 http://downloads.asterisk.org/pub/security/AST-2014-001.html
 http://downloads.asterisk.org/pub/security/AST-2014-002.html
 http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.8.1-summary.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 874dc48147428760673777cf9f0883c1  mbs1/x86_64/asterisk-11.8.1-1.1.mbs1.x86_64.rpm
 754c24b57a249f5a811de9ea42491b54  mbs1/x86_64/asterisk-addons-11.8.1-1.1.mbs1.x86_64.rpm
 e3f76b59108f69d490ad15b0714d0199  mbs1/x86_64/asterisk-devel-11.8.1-1.1.mbs1.x86_64.rpm
 f74de033fc0f8253c1d9b8a2789fb527  mbs1/x86_64/asterisk-firmware-11.8.1-1.1.mbs1.x86_64.rpm
 55129ac6c361daaef8da67ba7be0459c  mbs1/x86_64/asterisk-gui-11.8.1-1.1.mbs1.x86_64.rpm
 14d0511440107e30ae336ecdca0be59b  mbs1/x86_64/asterisk-plugins-alsa-11.8.1-1.1.mbs1.x86_64.rpm
 41e1faffe1723876b0c923e2fe6edd33  mbs1/x86_64/asterisk-plugins-calendar-11.8.1-1.1.mbs1.x86_64.rpm
 bf12035dfc03a04491da69c75b60cd12  mbs1/x86_64/asterisk-plugins-cel-11.8.1-1.1.mbs1.x86_64.rpm
 95d8343789fecaffbe7c0e48f7f7dd52  mbs1/x86_64/asterisk-plugins-corosync-11.8.1-1.1.mbs1.x86_64.rpm
 b2abd8598301c972c87d43f231a3f38b  mbs1/x86_64/asterisk-plugins-curl-11.8.1-1.1.mbs1.x86_64.rpm
 283283874e245047cfdbc1942641f6d7  mbs1/x86_64/asterisk-plugins-dahdi-11.8.1-1.1.mbs1.x86_64.rpm
 def694a9a67a6941eb8000309a3d8714  mbs1/x86_64/asterisk-plugins-fax-11.8.1-1.1.mbs1.x86_64.rpm
 9873bafb3e6b6ac8f120681f613f3cc3  mbs1/x86_64/asterisk-plugins-festival-11.8.1-1.1.mbs1.x86_64.rpm
 15179ea325b192805303066fe871036e  mbs1/x86_64/asterisk-plugins-ices-11.8.1-1.1.mbs1.x86_64.rpm
 ba2c090fba82b88b1ca4df296bd2481b  mbs1/x86_64/asterisk-plugins-jabber-11.8.1-1.1.mbs1.x86_64.rpm
 7cc400611598886a409fb8c88ef2c1a8  mbs1/x86_64/asterisk-plugins-jack-11.8.1-1.1.mbs1.x86_64.rpm
 c2154c8cc9dc2e97fe72b6813db49f6f  mbs1/x86_64/asterisk-plugins-ldap-11.8.1-1.1.mbs1.x86_64.rpm
 9d236fe1a49ce75c2e24e45a4909fb37  mbs1/x86_64/asterisk-plugins-lua-11.8.1-1.1.mbs1.x86_64.rpm
 c77efd21f409fdccdac885250401bf5b  mbs1/x86_64/asterisk-plugins-minivm-11.8.1-1.1.mbs1.x86_64.rpm
 854026c676dc1b1d7ef5a9a893be9577  mbs1/x86_64/asterisk-plugins-mobile-11.8.1-1.1.mbs1.x86_64.rpm
 94ea8dfd0ec5c49934f9b41a05555e9e  mbs1/x86_64/asterisk-plugins-mp3-11.8.1-1.1.mbs1.x86_64.rpm
 c1fabd448cd867adee2ca3a76dde6bfb  mbs1/x86_64/asterisk-plugins-mysql-11.8.1-1.1.mbs1.x86_64.rpm
 16fdb65e155295275c8030d5a49cf405  mbs1/x86_64/asterisk-plugins-ooh323-11.8.1-1.1.mbs1.x86_64.rpm
 04ceda6e0f9e2cc6667ad1da79b293c4  mbs1/x86_64/asterisk-plugins-osp-11.8.1-1.1.mbs1.x86_64.rpm
 7d6cabe58838c7fc78591e4be9e56f2a  mbs1/x86_64/asterisk-plugins-oss-11.8.1-1.1.mbs1.x86_64.rpm
 c1e60796fb9c8f7f586a6442efd8451a  mbs1/x86_64/asterisk-plugins-pgsql-11.8.1-1.1.mbs1.x86_64.rpm
 c906a6deb3b0a7175170c623857400a6  mbs1/x86_64/asterisk-plugins-pktccops-11.8.1-1.1.mbs1.x86_64.rpm
 9755b277eaea6189fc748f476fb3b7b7  mbs1/x86_64/asterisk-plugins-portaudio-11.8.1-1.1.mbs1.x86_64.rpm
 10dc20a29f0e93c535bd6ae2f5d7bd3f  mbs1/x86_64/asterisk-plugins-radius-11.8.1-1.1.mbs1.x86_64.rpm
 ce94490f0722222165f39dd080983906  mbs1/x86_64/asterisk-plugins-saycountpl-11.8.1-1.1.mbs1.x86_64.rpm
 aede3e915a106ed25e7a34130d8661d8  mbs1/x86_64/asterisk-plugins-skinny-11.8.1-1.1.mbs1.x86_64.rpm
 a5a9bf5903f40542a71bd9ea7dde8590  mbs1/x86_64/asterisk-plugins-snmp-11.8.1-1.1.mbs1.x86_64.rpm
 bfa50fb63a88f8f86d5aefdedc683c10  mbs1/x86_64/asterisk-plugins-speex-11.8.1-1.1.mbs1.x86_64.rpm
 af665709f0f799289a8f4dcc3b7d2e3a  mbs1/x86_64/asterisk-plugins-sqlite-11.8.1-1.1.mbs1.x86_64.rpm
 62488f0a52ab46c03d6afb3028085c04  mbs1/x86_64/asterisk-plugins-tds-11.8.1-1.1.mbs1.x86_64.rpm
 deb26eb56468a4a6563c6356820cd908  mbs1/x86_64/asterisk-plugins-unistim-11.8.1-1.1.mbs1.x86_64.rpm
 37f8d70a41006d36e4d7b4fdf818284d  mbs1/x86_64/asterisk-plugins-voicemail-11.8.1-1.1.mbs1.x86_64.rpm
 279a002fa68d85b4c6dd511a613cd7ef  mbs1/x86_64/asterisk-plugins-voicemail-imap-11.8.1-1.1.mbs1.x86_64.rpm
 8a60a940674e0d44812e68957ed28e24  mbs1/x86_64/asterisk-plugins-voicemail-plain-11.8.1-1.1.mbs1.x86_64.rpm
 f276cf7f4755f67438e42b1990eb9ad1  mbs1/x86_64/lib64asteriskssl1-11.8.1-1.1.mbs1.x86_64.rpm 
 bff672404f7226e39771ea197ae43111  mbs1/SRPMS/asterisk-11.8.1-1.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Home router security holes to be exposed at Def Con 22 hacker meet up
Edward Snowden Calls on Hackers to Help Whistleblowers Leak More Secrets
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.