| Summary: | asterisk new security issue CVE-2014-9374 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, oe, sysadmin-bugs, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/628109/ | ||
| Whiteboard: | has_procedure advisory MGA4-64-OK MGA4-32-OK | ||
| Source RPM: | asterisk-11.14.1-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-12-30 17:22:39 CET
David Walser
2014-12-30 17:23:03 CET
Blocks:
(none) =>
14674 11.14.2 has been submitted to mga4. Someone needs to submit 11.14.2 for cauldron. Thanks Oden! Freeze push request sent for Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 Advisory: ======================== Updated asterisk packages fix security vulnerability: Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2 allows remote attackers to cause a denial of service (crash) by sending a zero length frame after a non-zero length frame (CVE-2014-9374). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9374 http://downloads.asterisk.org/pub/security/AST-2014-019.html http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2 http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.14.2-summary.html http://www.gentoo.org/security/en/glsa/glsa-201412-51.xml ======================== Updated packages in core/updates_testing: ======================== asterisk-11.14.2-1.mga4 libasteriskssl1-11.14.2-1.mga4 asterisk-addons-11.14.2-1.mga4 asterisk-firmware-11.14.2-1.mga4 asterisk-devel-11.14.2-1.mga4 asterisk-plugins-corosync-11.14.2-1.mga4 asterisk-plugins-alsa-11.14.2-1.mga4 asterisk-plugins-calendar-11.14.2-1.mga4 asterisk-plugins-cel-11.14.2-1.mga4 asterisk-plugins-curl-11.14.2-1.mga4 asterisk-plugins-dahdi-11.14.2-1.mga4 asterisk-plugins-fax-11.14.2-1.mga4 asterisk-plugins-festival-11.14.2-1.mga4 asterisk-plugins-ices-11.14.2-1.mga4 asterisk-plugins-jabber-11.14.2-1.mga4 asterisk-plugins-jack-11.14.2-1.mga4 asterisk-plugins-lua-11.14.2-1.mga4 asterisk-plugins-ldap-11.14.2-1.mga4 asterisk-plugins-minivm-11.14.2-1.mga4 asterisk-plugins-mobile-11.14.2-1.mga4 asterisk-plugins-mp3-11.14.2-1.mga4 asterisk-plugins-mysql-11.14.2-1.mga4 asterisk-plugins-ooh323-11.14.2-1.mga4 asterisk-plugins-oss-11.14.2-1.mga4 asterisk-plugins-pktccops-11.14.2-1.mga4 asterisk-plugins-portaudio-11.14.2-1.mga4 asterisk-plugins-pgsql-11.14.2-1.mga4 asterisk-plugins-radius-11.14.2-1.mga4 asterisk-plugins-saycountpl-11.14.2-1.mga4 asterisk-plugins-skinny-11.14.2-1.mga4 asterisk-plugins-snmp-11.14.2-1.mga4 asterisk-plugins-speex-11.14.2-1.mga4 asterisk-plugins-sqlite-11.14.2-1.mga4 asterisk-plugins-tds-11.14.2-1.mga4 asterisk-plugins-osp-11.14.2-1.mga4 asterisk-plugins-unistim-11.14.2-1.mga4 asterisk-plugins-voicemail-11.14.2-1.mga4 asterisk-plugins-voicemail-imap-11.14.2-1.mga4 asterisk-plugins-voicemail-plain-11.14.2-1.mga4 asterisk-gui-11.14.2-1.mga4 from asterisk-11.14.2-1.mga4.src.rpm CC:
(none) =>
oe MGA4-64 on HP Probook 6555b KDE Followed PoC as in Comment 2, Commands seem to run OK. CC:
(none) =>
herman.viaene MGA-32 on AcerD620 Xfce Followed PoC as in Comment 2, Commands seem to run OK. Whiteboard:
has_procedure MGA4-64-OK =>
has_procedure MGA4-64-OK MGA-32-OK This package requires intimate knowledge of its operation plus supporing hardware. It can only be insured that it initially installs, then updates, cleanly. CC:
(none) =>
wilcal.int In VirtualBox, M4, KDE, 32-bit Package(s) under test: asterisk asterisk-firmware asterisk-plugins-pktccops libasteriskssl1 default install of asterisk-firmware asterisk-plugins-pktccops and libasteriskssl1 [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.1-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.1-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.1-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libasteriskssl1 Package libasteriskssl1-11.14.1-1.mga4.i586 is already installed install asterisk asterisk-firmware asterisk-plugins-pktccops and libasteriskssl1 from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.2-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.2-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.2-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libasteriskssl1 Package libasteriskssl1-11.14.2-1.mga4.i586 is already installed Packages install without errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 We usually ensure it works interactively Bill. Procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 In VirtualBox, M4, KDE, 64-bit Package(s) under test: asterisk asterisk-firmware asterisk-plugins-pktccops lib64asteriskssl1 default install of asterisk-firmware asterisk-plugins-pktccops and lib64asteriskssl1 [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64asteriskssl1 Package lib64asteriskssl1-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# asterisk -r Asterisk 11.14.1, Copyright (C) 1999 - 2013 Digium, Inc. and others. Created by Mark Spencer <markster@digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.... localhost*CLI> core show warranty NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES..... install asterisk asterisk-firmware asterisk-plugins-pktccops and lib64asteriskssl1 from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64asteriskssl1 Package lib64asteriskssl1-11.14.2-1.mga4.x86_64 is already installed Packages install without errors [root@localhost wilcal]# asterisk -r Asterisk 11.14.2, Copyright (C) 1999 - 2013 Digium, Inc. and others. Created by Mark Spencer <markster@digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.... localhost*CLI> core show warranty NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES..... Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 In VirtualBox, M4, KDE, 32-bit [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# asterisk -r Asterisk 11.14.2, Copyright (C) 1999 - 2013 Digium, Inc. and others. Created by Mark Spencer <markster@digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.... localhost*CLI> core show warranty NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES..... Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks Keywords:
(none) =>
validated_update
William Kenney
2015-01-04 18:20:53 CET
Whiteboard:
has_procedure MGA4-64-OK MGA-32-OK =>
has_procedure MGA4-64-OK MGA4-32-OK Advisory uploaded. Whiteboard:
has_procedure MGA4-64-OK MGA4-32-OK =>
has_procedure advisory MGA4-64-OK MGA4-32-OK An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0010.html Status:
NEW =>
RESOLVED |