Upstream has issued advisories on September 18 and October 20: http://downloads.asterisk.org/pub/security/AST-2014-010.html http://downloads.asterisk.org/pub/security/AST-2014-011.html The issues are fixed in version 11.13.1. CVE-2014-3566 is POODLE, so is technically just mitigated. Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
11.14.0 has landed and needs to be submitted in cauldron.
Thanks Oden! Freeze push request sent for Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 Advisory: ======================== Updated asterisk packages fix security vulnerabilities: In Asterisk Open Source 11.x before 11.12.1, when an out of call message, delivered by either the SIP or PJSIP channel driver or the XMPP stack, is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module (CVE-2014-6610). In Asterisk Open Source 11.x before 11.13.1, the res_jabber and res_xmpp module both use SSLv3 exclusively, and are hence susceptible to CVE-2014-3566, a.k.a. POODLE. Also, the core TLS handling, used by the chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM to potentially force a connection to fallback to SSLv3, exposing it to the POODLE vulnerability. Asterisk has been updated to version 11.14.0, which fixes the CVE-2014-6610 issue, and in which it no longer uses SSLv3 for the res_jabber/res_xmpp modules. Additionally, when the encryption method is not specified, the default handling in the TLS core no longer allows for a fallback to SSLv3 or SSLv2. These changes mitigate the POODLE vulnerability. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6610 http://downloads.asterisk.org/pub/security/AST-2014-010.html http://downloads.asterisk.org/pub/security/AST-2014-011.html http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.14.0-summary.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.14.0-1.mga3 libasteriskssl1-11.14.0-1.mga3 asterisk-addons-11.14.0-1.mga3 asterisk-firmware-11.14.0-1.mga3 asterisk-devel-11.14.0-1.mga3 asterisk-plugins-corosync-11.14.0-1.mga3 asterisk-plugins-alsa-11.14.0-1.mga3 asterisk-plugins-calendar-11.14.0-1.mga3 asterisk-plugins-cel-11.14.0-1.mga3 asterisk-plugins-curl-11.14.0-1.mga3 asterisk-plugins-dahdi-11.14.0-1.mga3 asterisk-plugins-fax-11.14.0-1.mga3 asterisk-plugins-festival-11.14.0-1.mga3 asterisk-plugins-ices-11.14.0-1.mga3 asterisk-plugins-jabber-11.14.0-1.mga3 asterisk-plugins-jack-11.14.0-1.mga3 asterisk-plugins-lua-11.14.0-1.mga3 asterisk-plugins-ldap-11.14.0-1.mga3 asterisk-plugins-minivm-11.14.0-1.mga3 asterisk-plugins-mobile-11.14.0-1.mga3 asterisk-plugins-mp3-11.14.0-1.mga3 asterisk-plugins-mysql-11.14.0-1.mga3 asterisk-plugins-ooh323-11.14.0-1.mga3 asterisk-plugins-oss-11.14.0-1.mga3 asterisk-plugins-pktccops-11.14.0-1.mga3 asterisk-plugins-portaudio-11.14.0-1.mga3 asterisk-plugins-pgsql-11.14.0-1.mga3 asterisk-plugins-radius-11.14.0-1.mga3 asterisk-plugins-saycountpl-11.14.0-1.mga3 asterisk-plugins-skinny-11.14.0-1.mga3 asterisk-plugins-snmp-11.14.0-1.mga3 asterisk-plugins-speex-11.14.0-1.mga3 asterisk-plugins-sqlite-11.14.0-1.mga3 asterisk-plugins-tds-11.14.0-1.mga3 asterisk-plugins-osp-11.14.0-1.mga3 asterisk-plugins-unistim-11.14.0-1.mga3 asterisk-plugins-voicemail-11.14.0-1.mga3 asterisk-plugins-voicemail-imap-11.14.0-1.mga3 asterisk-plugins-voicemail-plain-11.14.0-1.mga3 asterisk-gui-11.14.0-1.mga3 asterisk-11.14.0-1.mga4 libasteriskssl1-11.14.0-1.mga4 asterisk-addons-11.14.0-1.mga4 asterisk-firmware-11.14.0-1.mga4 asterisk-devel-11.14.0-1.mga4 asterisk-plugins-corosync-11.14.0-1.mga4 asterisk-plugins-alsa-11.14.0-1.mga4 asterisk-plugins-calendar-11.14.0-1.mga4 asterisk-plugins-cel-11.14.0-1.mga4 asterisk-plugins-curl-11.14.0-1.mga4 asterisk-plugins-dahdi-11.14.0-1.mga4 asterisk-plugins-fax-11.14.0-1.mga4 asterisk-plugins-festival-11.14.0-1.mga4 asterisk-plugins-ices-11.14.0-1.mga4 asterisk-plugins-jabber-11.14.0-1.mga4 asterisk-plugins-jack-11.14.0-1.mga4 asterisk-plugins-lua-11.14.0-1.mga4 asterisk-plugins-ldap-11.14.0-1.mga4 asterisk-plugins-minivm-11.14.0-1.mga4 asterisk-plugins-mobile-11.14.0-1.mga4 asterisk-plugins-mp3-11.14.0-1.mga4 asterisk-plugins-mysql-11.14.0-1.mga4 asterisk-plugins-ooh323-11.14.0-1.mga4 asterisk-plugins-oss-11.14.0-1.mga4 asterisk-plugins-pktccops-11.14.0-1.mga4 asterisk-plugins-portaudio-11.14.0-1.mga4 asterisk-plugins-pgsql-11.14.0-1.mga4 asterisk-plugins-radius-11.14.0-1.mga4 asterisk-plugins-saycountpl-11.14.0-1.mga4 asterisk-plugins-skinny-11.14.0-1.mga4 asterisk-plugins-snmp-11.14.0-1.mga4 asterisk-plugins-speex-11.14.0-1.mga4 asterisk-plugins-sqlite-11.14.0-1.mga4 asterisk-plugins-tds-11.14.0-1.mga4 asterisk-plugins-osp-11.14.0-1.mga4 asterisk-plugins-unistim-11.14.0-1.mga4 asterisk-plugins-voicemail-11.14.0-1.mga4 asterisk-plugins-voicemail-imap-11.14.0-1.mga4 asterisk-plugins-voicemail-plain-11.14.0-1.mga4 asterisk-gui-11.14.0-1.mga4 from SRPMS: asterisk-11.14.0-1.mga3.src.rpm asterisk-11.14.0-1.mga4.src.rpm
CC: (none) => oeVersion: Cauldron => 4Assignee: oe => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO has_procedure
On Mageia3-64, real hw Tested following procedure mentionned in Comment 2 Current packages : ---------------- - asterisk-11.11.0-1.mga3.x86_64 - asterisk-addons-11.11.0-1.mga3.x86_64 - asterisk-core-sounds-fr-1.4.22-2.mga3.noarch - asterisk-firmware-11.11.0-1.mga3.x86_64 - asterisk-gui-11.11.0-1.mga3.x86_64 - asterisk-moh-opsound-20091226-2.mga3.noarch - asterisk-plugins-alsa-11.11.0-1.mga3.x86_64 - asterisk-plugins-calendar-11.11.0-1.mga3.x86_64 - asterisk-plugins-cel-11.11.0-1.mga3.x86_64 - asterisk-plugins-corosync-11.11.0-1.mga3.x86_64 - asterisk-plugins-curl-11.11.0-1.mga3.x86_64 - asterisk-plugins-dahdi-11.11.0-1.mga3.x86_64 - asterisk-plugins-fax-11.11.0-1.mga3.x86_64 - asterisk-plugins-festival-11.11.0-1.mga3.x86_64 - asterisk-plugins-ices-11.11.0-1.mga3.x86_64 - asterisk-plugins-jabber-11.11.0-1.mga3.x86_64 - asterisk-plugins-jack-11.11.0-1.mga3.x86_64 - asterisk-plugins-ldap-11.11.0-1.mga3.x86_64 - asterisk-plugins-lua-11.11.0-1.mga3.x86_64 - asterisk-plugins-minivm-11.11.0-1.mga3.x86_64 - asterisk-plugins-mobile-11.11.0-1.mga3.x86_64 - asterisk-plugins-mp3-11.11.0-1.mga3.x86_64 - asterisk-plugins-mysql-11.11.0-1.mga3.x86_64 - asterisk-plugins-ooh323-11.11.0-1.mga3.x86_64 - asterisk-plugins-osp-11.11.0-1.mga3.x86_64 - asterisk-plugins-oss-11.11.0-1.mga3.x86_64 - asterisk-plugins-pgsql-11.11.0-1.mga3.x86_64 - asterisk-plugins-pktccops-11.11.0-1.mga3.x86_64 - asterisk-plugins-portaudio-11.11.0-1.mga3.x86_64 - asterisk-plugins-radius-11.11.0-1.mga3.x86_64 - asterisk-plugins-saycountpl-11.11.0-1.mga3.x86_64 - asterisk-plugins-skinny-11.11.0-1.mga3.x86_64 - asterisk-plugins-snmp-11.11.0-1.mga3.x86_64 - asterisk-plugins-speex-11.11.0-1.mga3.x86_64 - asterisk-plugins-sqlite-11.11.0-1.mga3.x86_64 - asterisk-plugins-tds-11.11.0-1.mga3.x86_64 - asterisk-plugins-unistim-11.11.0-1.mga3.x86_64 - asterisk-plugins-voicemail-11.11.0-1.mga3.x86_64 - asterisk-plugins-voicemail-imap-11.11.0-1.mga3.x86_64 - asterisk-plugins-voicemail-plain-11.11.0-1.mga3.x86_64 - lib64asteriskssl1-11.11.0-1.mga3.x86_64 Followed testing procedure which gave expected result. Updated to testing packages : --------------------------- - asterisk-11.14.0-1.mga3.x86_64 - asterisk-addons-11.14.0-1.mga3.x86_64 - asterisk-devel-11.14.0-1.mga3.x86_64 - asterisk-firmware-11.14.0-1.mga3.x86_64 - asterisk-gui-11.14.0-1.mga3.x86_64 - asterisk-plugins-alsa-11.14.0-1.mga3.x86_64 - asterisk-plugins-calendar-11.14.0-1.mga3.x86_64 - asterisk-plugins-cel-11.14.0-1.mga3.x86_64 - asterisk-plugins-corosync-11.14.0-1.mga3.x86_64 - asterisk-plugins-curl-11.14.0-1.mga3.x86_64 - asterisk-plugins-dahdi-11.14.0-1.mga3.x86_64 - asterisk-plugins-fax-11.14.0-1.mga3.x86_64 - asterisk-plugins-festival-11.14.0-1.mga3.x86_64 - asterisk-plugins-ices-11.14.0-1.mga3.x86_64 - asterisk-plugins-jabber-11.14.0-1.mga3.x86_64 - asterisk-plugins-jack-11.14.0-1.mga3.x86_64 - asterisk-plugins-ldap-11.14.0-1.mga3.x86_64 - asterisk-plugins-lua-11.14.0-1.mga3.x86_64 - asterisk-plugins-minivm-11.14.0-1.mga3.x86_64 - asterisk-plugins-mobile-11.14.0-1.mga3.x86_64 - asterisk-plugins-mp3-11.14.0-1.mga3.x86_64 - asterisk-plugins-mysql-11.14.0-1.mga3.x86_64 - asterisk-plugins-ooh323-11.14.0-1.mga3.x86_64 - asterisk-plugins-osp-11.14.0-1.mga3.x86_64 - asterisk-plugins-oss-11.14.0-1.mga3.x86_64 - asterisk-plugins-pgsql-11.14.0-1.mga3.x86_64 - asterisk-plugins-pktccops-11.14.0-1.mga3.x86_64 - asterisk-plugins-portaudio-11.14.0-1.mga3.x86_64 - asterisk-plugins-radius-11.14.0-1.mga3.x86_64 - asterisk-plugins-saycountpl-11.14.0-1.mga3.x86_64 - asterisk-plugins-skinny-11.14.0-1.mga3.x86_64 - asterisk-plugins-snmp-11.14.0-1.mga3.x86_64 - asterisk-plugins-speex-11.14.0-1.mga3.x86_64 - asterisk-plugins-sqlite-11.14.0-1.mga3.x86_64 - asterisk-plugins-tds-11.14.0-1.mga3.x86_64 - asterisk-plugins-unistim-11.14.0-1.mga3.x86_64 - asterisk-plugins-voicemail-11.14.0-1.mga3.x86_64 - asterisk-plugins-voicemail-imap-11.14.0-1.mga3.x86_64 - asterisk-plugins-voicemail-plain-11.14.0-1.mga3.x86_64 - lib64asteriskssl1-11.14.0-1.mga3.x86_64 Followed testing procedure which gave expected result.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure advisory MGA3-64-OK
Testing on mga4 x86_64 real hardware: asterisk-11.14.0-1 asterisk-plugins-pktccops-11.14.0-1 asterisk-firmware-11.14.0-1 asterisk-addons-11.14.0-1 asterisk-plugins-mp3-11.14.0-1 asterisk-plugins-mysql-11.14.0-1 asterisk-plugins-ooh323-11.14.0-1 asterisk-plugins-saycountpl-11.14.0-1 asterisk-devel-11.14.0-1 asterisk-gui-11.14.0-1 (medium "Core Updates") lib64openssl-devel-1.0.1e-8.8 As root ran: $ asterisk -vvvc *CLI> core show help *CLI> ulimit *CLI> timing test *CLI> core stop gracefully Disconnected from Asterisk server Asterisk cleanly ending (0). Executing last minute cleanups Could not find any information about asterisk-gui but everything looks good for a novice.
CC: (none) => tarazed25
Whiteboard: MGA3TOO has_procedure advisory MGA3-64-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK
Whoops. Additional fixes in 11.14.1 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1 http://downloads.asterisk.org/pub/security/AST-2014-012.html http://downloads.asterisk.org/pub/security/AST-2014-014.html http://downloads.asterisk.org/pub/security/AST-2014-017.html 11.14.1 has landed and needs to be submitted in cauldron.
Also: http://downloads.asterisk.org/pub/security/AST-2014-018.html As you already noticed 2014-013, 2014-015, and 2014-016 don't affect 11.x. Freeze push requested. Oden, all of these new AST's say CVE pending. I haven't seen any requests on oss-security for CVEs. Do you have any insight on this?
Whiteboard: MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure
(In reply to David Walser from comment #7) > Also: > http://downloads.asterisk.org/pub/security/AST-2014-018.html > > As you already noticed 2014-013, 2014-015, and 2014-016 don't affect 11.x. > > Freeze push requested. > > Oden, all of these new AST's say CVE pending. I haven't seen any requests > on oss-security for CVEs. Do you have any insight on this? No, sorry.
Advisory: ======================== Updated asterisk packages fix security vulnerabilities: In Asterisk Open Source 11.x before 11.12.1, when an out of call message, delivered by either the SIP or PJSIP channel driver or the XMPP stack, is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module (CVE-2014-6610). In Asterisk Open Source 11.x before 11.13.1, the res_jabber and res_xmpp module both use SSLv3 exclusively, and are hence susceptible to CVE-2014-3566, a.k.a. POODLE. Also, the core TLS handling, used by the chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM to potentially force a connection to fallback to SSLv3, exposing it to the POODLE vulnerability. Asterisk has been updated to version 11.14.1, which fixes the CVE-2014-6610 issue, and in which it no longer uses SSLv3 for the res_jabber/res_xmpp modules. Additionally, when the encryption method is not specified, the default handling in the TLS core no longer allows for a fallback to SSLv3 or SSLv2. These changes mitigate the POODLE vulnerability. Other security issues fixed in 11.14.1 include: Mixed IP address families in access control lists may permit unwanted traffic (AST-2014-012) High call load may result in hung channels in ConfBridge (AST-2014-014). Permission escalation through ConfBridge actions/dialplan functions (AST-2014-017). The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation (AST-2014-018). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6610 http://downloads.asterisk.org/pub/security/AST-2014-010.html http://downloads.asterisk.org/pub/security/AST-2014-011.html http://downloads.asterisk.org/pub/security/AST-2014-012.html http://downloads.asterisk.org/pub/security/AST-2014-014.html http://downloads.asterisk.org/pub/security/AST-2014-017.html http://downloads.asterisk.org/pub/security/AST-2014-018.html http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1 http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.14.1-summary.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A218/
LWN reference for the issues missing CVEs: http://lwn.net/Vulnerabilities/622620/
URL: (none) => http://lwn.net/Vulnerabilities/622619/
On Mageia3-64 real HW : Testing updated testing package round 2, using Len's instructions in comment 5. # rpm -q asterisk asterisk-11.14.1-1.mga3 All OK
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK
CC: (none) => herman.viaeneWhiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA-64-OK
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
Mageia4-64 on laptop HP6555b Repeated test as described in Comment 5 All seems well, I noted however that the gracefull end floods Konsole with loads of warnings like "Unregistered application xxxxxxx".
Advisory updated with 3: core: - asterisk-11.14.1-1.mga3 4: core: - asterisk-11.14.1-1.mga4 and comment 9 text and refs. Validating for inclusion in mga3. Please push to updates.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-64-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Comment on comment 12. Did not see that in a Mate terminal.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0490.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
The issues fixed in 11.14.1 have received CVEs. LWN reference for the new CVEs: http://lwn.net/Vulnerabilities/628109/ Updated advisory below. Advisory: ======================== Updated asterisk packages fix security vulnerabilities: In Asterisk Open Source 11.x before 11.12.1, when an out of call message, delivered by either the SIP or PJSIP channel driver or the XMPP stack, is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module (CVE-2014-6610). In Asterisk Open Source 11.x before 11.13.1, the res_jabber and res_xmpp module both use SSLv3 exclusively, and are hence susceptible to CVE-2014-3566, a.k.a. POODLE. Also, the core TLS handling, used by the chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM to potentially force a connection to fallback to SSLv3, exposing it to the POODLE vulnerability. Asterisk has been updated to version 11.14.1, which fixes the CVE-2014-6610 issue, and in which it no longer uses SSLv3 for the res_jabber/res_xmpp modules. Additionally, when the encryption method is not specified, the default handling in the TLS core no longer allows for a fallback to SSLv3 or SSLv2. These changes mitigate the POODLE vulnerability. Other security issues fixed in 11.14.1 include: The VoIP channel drivers, DUNDi, and Asterisk Manager Interface (AMI) in Asterisk Open Source 11.x before 11.14.1 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry (CVE-2014-8412). ConfBridge in Asterisk 11.x before 11.14.1 does not properly handle state changes, which allows remote attackers to cause a denial of service (channel hang and memory consumption) by causing transitions to be delayed, which triggers a state change from hung up to waiting for media (CVE-2014-8414). ConfBridge in Asterisk 11.x before 11.14.1 allows remote authenticated users to gain privileges via vectors related to an external protocol to the CONFBRIDGE dialplan function or execute arbitrary system commands via a crafted ConfbridgeStartRecord AMI action (CVE-2014-8417). The DB dialplan function in Asterisk Open Source 11.x before 11.1.4.1 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol (CVE-2014-8418). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6610 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8417 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8418 http://downloads.asterisk.org/pub/security/AST-2014-010.html http://downloads.asterisk.org/pub/security/AST-2014-011.html http://downloads.asterisk.org/pub/security/AST-2014-012.html http://downloads.asterisk.org/pub/security/AST-2014-014.html http://downloads.asterisk.org/pub/security/AST-2014-017.html http://downloads.asterisk.org/pub/security/AST-2014-018.html http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1 http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.14.1-summary.html http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A218/