Fedora has issued an advisory on March 12: https://lists.fedoraproject.org/pipermail/package-announce/2014-March/130426.html Mageia 3 is affected by the last two 2013 advisories linked there: http://downloads.asterisk.org/pub/security/AST-2013-006.html http://downloads.asterisk.org/pub/security/AST-2013-007.html Mageia 3, Mageia 4, and Cauldron are affected by the first two 2014 advisories: http://downloads.asterisk.org/pub/security/AST-2014-001.html http://downloads.asterisk.org/pub/security/AST-2014-002.html The issues are fixed in 11.8.1. We are not affected by AST-2014-003 or AST-2014-004 as they only affect 12.x. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated packages uploaded by Oden for Mageia 3, Mageia 4, and Cauldron. Advisory (Mageia 3): ======================== Updated asterisk packages fix security vulnerabilities: In Asterisk before 11.6.1, a 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash (CVE-2013-7100). In Asterisk before 11.6.1, external control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dialplan functions. Reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation (AST-2013-007). In Asterisk before 11.8.1, sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request (CVE-2014-2286). In Asterisk before 11.8.1, an attacker can use all available file descriptors using SIP INVITE requests. Each INVITE meeting certain conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly (CVE-2014-2287). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2287 http://downloads.asterisk.org/pub/security/AST-2013-006.html http://downloads.asterisk.org/pub/security/AST-2013-007.html http://downloads.asterisk.org/pub/security/AST-2014-001.html http://downloads.asterisk.org/pub/security/AST-2014-002.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.8.1-1.mga3 libasteriskssl1-11.8.1-1.mga3 asterisk-addons-11.8.1-1.mga3 asterisk-firmware-11.8.1-1.mga3 asterisk-devel-11.8.1-1.mga3 asterisk-plugins-corosync-11.8.1-1.mga3 asterisk-plugins-alsa-11.8.1-1.mga3 asterisk-plugins-calendar-11.8.1-1.mga3 asterisk-plugins-cel-11.8.1-1.mga3 asterisk-plugins-curl-11.8.1-1.mga3 asterisk-plugins-dahdi-11.8.1-1.mga3 asterisk-plugins-fax-11.8.1-1.mga3 asterisk-plugins-festival-11.8.1-1.mga3 asterisk-plugins-ices-11.8.1-1.mga3 asterisk-plugins-jabber-11.8.1-1.mga3 asterisk-plugins-jack-11.8.1-1.mga3 asterisk-plugins-lua-11.8.1-1.mga3 asterisk-plugins-ldap-11.8.1-1.mga3 asterisk-plugins-minivm-11.8.1-1.mga3 asterisk-plugins-mobile-11.8.1-1.mga3 asterisk-plugins-mp3-11.8.1-1.mga3 asterisk-plugins-mysql-11.8.1-1.mga3 asterisk-plugins-ooh323-11.8.1-1.mga3 asterisk-plugins-oss-11.8.1-1.mga3 asterisk-plugins-pktccops-11.8.1-1.mga3 asterisk-plugins-portaudio-11.8.1-1.mga3 asterisk-plugins-pgsql-11.8.1-1.mga3 asterisk-plugins-radius-11.8.1-1.mga3 asterisk-plugins-saycountpl-11.8.1-1.mga3 asterisk-plugins-skinny-11.8.1-1.mga3 asterisk-plugins-snmp-11.8.1-1.mga3 asterisk-plugins-speex-11.8.1-1.mga3 asterisk-plugins-sqlite-11.8.1-1.mga3 asterisk-plugins-tds-11.8.1-1.mga3 asterisk-plugins-osp-11.8.1-1.mga3 asterisk-plugins-unistim-11.8.1-1.mga3 asterisk-plugins-voicemail-11.8.1-1.mga3 asterisk-plugins-voicemail-imap-11.8.1-1.mga3 asterisk-plugins-voicemail-plain-11.8.1-1.mga3 asterisk-gui-11.8.1-1.mga3 from asterisk-11.8.1-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated asterisk packages fix security vulnerabilities: In Asterisk before 11.8.1, sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request (CVE-2014-2286). In Asterisk before 11.8.1, an attacker can use all available file descriptors using SIP INVITE requests. Each INVITE meeting certain conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly (CVE-2014-2287). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2287 http://downloads.asterisk.org/pub/security/AST-2014-001.html http://downloads.asterisk.org/pub/security/AST-2014-002.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.8.1-1.mga4 libasteriskssl1-11.8.1-1.mga4 asterisk-addons-11.8.1-1.mga4 asterisk-firmware-11.8.1-1.mga4 asterisk-devel-11.8.1-1.mga4 asterisk-plugins-corosync-11.8.1-1.mga4 asterisk-plugins-alsa-11.8.1-1.mga4 asterisk-plugins-calendar-11.8.1-1.mga4 asterisk-plugins-cel-11.8.1-1.mga4 asterisk-plugins-curl-11.8.1-1.mga4 asterisk-plugins-dahdi-11.8.1-1.mga4 asterisk-plugins-fax-11.8.1-1.mga4 asterisk-plugins-festival-11.8.1-1.mga4 asterisk-plugins-ices-11.8.1-1.mga4 asterisk-plugins-jabber-11.8.1-1.mga4 asterisk-plugins-jack-11.8.1-1.mga4 asterisk-plugins-lua-11.8.1-1.mga4 asterisk-plugins-ldap-11.8.1-1.mga4 asterisk-plugins-minivm-11.8.1-1.mga4 asterisk-plugins-mobile-11.8.1-1.mga4 asterisk-plugins-mp3-11.8.1-1.mga4 asterisk-plugins-mysql-11.8.1-1.mga4 asterisk-plugins-ooh323-11.8.1-1.mga4 asterisk-plugins-oss-11.8.1-1.mga4 asterisk-plugins-pktccops-11.8.1-1.mga4 asterisk-plugins-portaudio-11.8.1-1.mga4 asterisk-plugins-pgsql-11.8.1-1.mga4 asterisk-plugins-radius-11.8.1-1.mga4 asterisk-plugins-saycountpl-11.8.1-1.mga4 asterisk-plugins-skinny-11.8.1-1.mga4 asterisk-plugins-snmp-11.8.1-1.mga4 asterisk-plugins-speex-11.8.1-1.mga4 asterisk-plugins-sqlite-11.8.1-1.mga4 asterisk-plugins-tds-11.8.1-1.mga4 asterisk-plugins-osp-11.8.1-1.mga4 asterisk-plugins-unistim-11.8.1-1.mga4 asterisk-plugins-voicemail-11.8.1-1.mga4 asterisk-plugins-voicemail-imap-11.8.1-1.mga4 asterisk-plugins-voicemail-plain-11.8.1-1.mga4 asterisk-gui-11.8.1-1.mga4 from asterisk-11.8.1-1.mga4.src.rpm
CC: (none) => oeVersion: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
In VirtualBox, M3, KDE, 32-bit Package(s) under test: asterisk default install of asterisk [root@localhost wilcal]# urpmi asterisk Package asterisk-11.7.0-1.mga3.i586 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. install asterisk from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.8.1-1.mga3.i586 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO => MGA3TOO MGA3-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: asterisk default install of asterisk [root@localhost wilcal]# urpmi asterisk Package asterisk-11.7.0-1.mga3.x86_64 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. install asterisk from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.8.1-1.mga3.x86_64 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: asterisk default install of asterisk [root@localhost wilcal]# urpmi asterisk Package asterisk-11.7.0-2.mga4.i586 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. install asterisk from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.8.1-1.mga4.i586 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: asterisk default install of asterisk [root@localhost wilcal]# urpmi asterisk Package asterisk-11.7.0-2.mga4.x86_64 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. install asterisk from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.8.1-1.mga4.x86_64 is already installed Per: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 asterisk installs cleanly. As root ran "asterisk -vvvc", then at the *CLI> prompt, ran the command "core show help", then using ctrl+c exited. Process executed as expected. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Separate advisories uploaded for mga3 & 4 (13061.mga3.adv & 13061.mga4.adv)
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
http://advisories.mageia.org/MGASA-2014-0171.html http://advisories.mageia.org/MGASA-2014-0172.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED