Bug 13604

Summary: asterisk new security issues CVE-2014-4046 and CVE-2014-4047
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dpremy, mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/603752/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: asterisk-11.8.1-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-06-27 18:36:36 CEST 
Gentoo has issued an advisory on June 25:
http://www.gentoo.org/security/en/glsa/glsa-201406-25.xml

The issues are fixed upstream in 11.10.1 according to the upstream advisories:
http://downloads.asterisk.org/pub/security/AST-2014-006.html
http://downloads.asterisk.org/pub/security/AST-2014-007.html

Note that we are not affected by AST-2014-005 and AST-2014-008 as they only affect 12.x.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-27 18:36:47 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-07-11 12:26:11 CEST 
11.11.0 has been submitted to mga3, mga4 and cauldron.
Comment 2 David Walser 2014-07-11 18:30:51 CEST 
Thanks Oden.

Advisory:
========================

Updated asterisk packages fix security vulnerabilities:

Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and
Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated
Manager users to execute arbitrary shell commands via a MixMonitor
action (CVE-2014-4046).

Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and
12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6
and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of
service (connection consumption) via a large number of (1) inactive or
(2) incomplete HTTP connections (CVE-2014-4047).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4047
http://downloads.asterisk.org/pub/security/AST-2014-006.html
http://downloads.asterisk.org/pub/security/AST-2014-007.html
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.11.0-summary.html
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:138/
========================

Updated packages in core/updates_testing:
========================
asterisk-11.11.0-1.mga3
libasteriskssl1-11.11.0-1.mga3
asterisk-addons-11.11.0-1.mga3
asterisk-firmware-11.11.0-1.mga3
asterisk-devel-11.11.0-1.mga3
asterisk-plugins-corosync-11.11.0-1.mga3
asterisk-plugins-alsa-11.11.0-1.mga3
asterisk-plugins-calendar-11.11.0-1.mga3
asterisk-plugins-cel-11.11.0-1.mga3
asterisk-plugins-curl-11.11.0-1.mga3
asterisk-plugins-dahdi-11.11.0-1.mga3
asterisk-plugins-fax-11.11.0-1.mga3
asterisk-plugins-festival-11.11.0-1.mga3
asterisk-plugins-ices-11.11.0-1.mga3
asterisk-plugins-jabber-11.11.0-1.mga3
asterisk-plugins-jack-11.11.0-1.mga3
asterisk-plugins-lua-11.11.0-1.mga3
asterisk-plugins-ldap-11.11.0-1.mga3
asterisk-plugins-minivm-11.11.0-1.mga3
asterisk-plugins-mobile-11.11.0-1.mga3
asterisk-plugins-mp3-11.11.0-1.mga3
asterisk-plugins-mysql-11.11.0-1.mga3
asterisk-plugins-ooh323-11.11.0-1.mga3
asterisk-plugins-oss-11.11.0-1.mga3
asterisk-plugins-pktccops-11.11.0-1.mga3
asterisk-plugins-portaudio-11.11.0-1.mga3
asterisk-plugins-pgsql-11.11.0-1.mga3
asterisk-plugins-radius-11.11.0-1.mga3
asterisk-plugins-saycountpl-11.11.0-1.mga3
asterisk-plugins-skinny-11.11.0-1.mga3
asterisk-plugins-snmp-11.11.0-1.mga3
asterisk-plugins-speex-11.11.0-1.mga3
asterisk-plugins-sqlite-11.11.0-1.mga3
asterisk-plugins-tds-11.11.0-1.mga3
asterisk-plugins-osp-11.11.0-1.mga3
asterisk-plugins-unistim-11.11.0-1.mga3
asterisk-plugins-voicemail-11.11.0-1.mga3
asterisk-plugins-voicemail-imap-11.11.0-1.mga3
asterisk-plugins-voicemail-plain-11.11.0-1.mga3
asterisk-gui-11.11.0-1.mga3
asterisk-11.11.0-1.mga4
libasteriskssl1-11.11.0-1.mga4
asterisk-addons-11.11.0-1.mga4
asterisk-firmware-11.11.0-1.mga4
asterisk-devel-11.11.0-1.mga4
asterisk-plugins-corosync-11.11.0-1.mga4
asterisk-plugins-alsa-11.11.0-1.mga4
asterisk-plugins-calendar-11.11.0-1.mga4
asterisk-plugins-cel-11.11.0-1.mga4
asterisk-plugins-curl-11.11.0-1.mga4
asterisk-plugins-dahdi-11.11.0-1.mga4
asterisk-plugins-fax-11.11.0-1.mga4
asterisk-plugins-festival-11.11.0-1.mga4
asterisk-plugins-ices-11.11.0-1.mga4
asterisk-plugins-jabber-11.11.0-1.mga4
asterisk-plugins-jack-11.11.0-1.mga4
asterisk-plugins-lua-11.11.0-1.mga4
asterisk-plugins-ldap-11.11.0-1.mga4
asterisk-plugins-minivm-11.11.0-1.mga4
asterisk-plugins-mobile-11.11.0-1.mga4
asterisk-plugins-mp3-11.11.0-1.mga4
asterisk-plugins-mysql-11.11.0-1.mga4
asterisk-plugins-ooh323-11.11.0-1.mga4
asterisk-plugins-oss-11.11.0-1.mga4
asterisk-plugins-pktccops-11.11.0-1.mga4
asterisk-plugins-portaudio-11.11.0-1.mga4
asterisk-plugins-pgsql-11.11.0-1.mga4
asterisk-plugins-radius-11.11.0-1.mga4
asterisk-plugins-saycountpl-11.11.0-1.mga4
asterisk-plugins-skinny-11.11.0-1.mga4
asterisk-plugins-snmp-11.11.0-1.mga4
asterisk-plugins-speex-11.11.0-1.mga4
asterisk-plugins-sqlite-11.11.0-1.mga4
asterisk-plugins-tds-11.11.0-1.mga4
asterisk-plugins-osp-11.11.0-1.mga4
asterisk-plugins-unistim-11.11.0-1.mga4
asterisk-plugins-voicemail-11.11.0-1.mga4
asterisk-plugins-voicemail-imap-11.11.0-1.mga4
asterisk-plugins-voicemail-plain-11.11.0-1.mga4
asterisk-gui-11.11.0-1.mga4

from SRPMS:
asterisk-11.11.0-1.mga3.src.rpm
asterisk-11.11.0-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: oe => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 claire robinson 2014-07-14 18:58:23 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 David Remy 2014-07-14 21:39:17 CEST 
Tested on mga4-64 and ran 'core show help' with no errors.

CC: (none) => dpremy
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 5 claire robinson 2014-07-18 16:09:31 CEST 
Testing complete mga4 32.

Tested with the procedure in comment 3

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-07-18 17:22:26 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2014-07-18 17:42:11 CEST 
Testing complete mga3 32

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Colin Guthrie 2014-07-26 14:52:49 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0300.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED