Gentoo has issued an advisory on December 28: http://www.gentoo.org/security/en/glsa/glsa-201412-51.xml The CVE-2014-841* CVEs were addressed in Bug 14466. CVE-2014-9374 was fixed upstream in 11.14.2. The corresponding upstream advisory is here: http://downloads.asterisk.org/pub/security/AST-2014-019.html Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Blocks: (none) => 14674Whiteboard: (none) => MGA4TOO
11.14.2 has been submitted to mga4. Someone needs to submit 11.14.2 for cauldron.
Thanks Oden! Freeze push request sent for Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 Advisory: ======================== Updated asterisk packages fix security vulnerability: Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2 allows remote attackers to cause a denial of service (crash) by sending a zero length frame after a non-zero length frame (CVE-2014-9374). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9374 http://downloads.asterisk.org/pub/security/AST-2014-019.html http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2 http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.14.2-summary.html http://www.gentoo.org/security/en/glsa/glsa-201412-51.xml ======================== Updated packages in core/updates_testing: ======================== asterisk-11.14.2-1.mga4 libasteriskssl1-11.14.2-1.mga4 asterisk-addons-11.14.2-1.mga4 asterisk-firmware-11.14.2-1.mga4 asterisk-devel-11.14.2-1.mga4 asterisk-plugins-corosync-11.14.2-1.mga4 asterisk-plugins-alsa-11.14.2-1.mga4 asterisk-plugins-calendar-11.14.2-1.mga4 asterisk-plugins-cel-11.14.2-1.mga4 asterisk-plugins-curl-11.14.2-1.mga4 asterisk-plugins-dahdi-11.14.2-1.mga4 asterisk-plugins-fax-11.14.2-1.mga4 asterisk-plugins-festival-11.14.2-1.mga4 asterisk-plugins-ices-11.14.2-1.mga4 asterisk-plugins-jabber-11.14.2-1.mga4 asterisk-plugins-jack-11.14.2-1.mga4 asterisk-plugins-lua-11.14.2-1.mga4 asterisk-plugins-ldap-11.14.2-1.mga4 asterisk-plugins-minivm-11.14.2-1.mga4 asterisk-plugins-mobile-11.14.2-1.mga4 asterisk-plugins-mp3-11.14.2-1.mga4 asterisk-plugins-mysql-11.14.2-1.mga4 asterisk-plugins-ooh323-11.14.2-1.mga4 asterisk-plugins-oss-11.14.2-1.mga4 asterisk-plugins-pktccops-11.14.2-1.mga4 asterisk-plugins-portaudio-11.14.2-1.mga4 asterisk-plugins-pgsql-11.14.2-1.mga4 asterisk-plugins-radius-11.14.2-1.mga4 asterisk-plugins-saycountpl-11.14.2-1.mga4 asterisk-plugins-skinny-11.14.2-1.mga4 asterisk-plugins-snmp-11.14.2-1.mga4 asterisk-plugins-speex-11.14.2-1.mga4 asterisk-plugins-sqlite-11.14.2-1.mga4 asterisk-plugins-tds-11.14.2-1.mga4 asterisk-plugins-osp-11.14.2-1.mga4 asterisk-plugins-unistim-11.14.2-1.mga4 asterisk-plugins-voicemail-11.14.2-1.mga4 asterisk-plugins-voicemail-imap-11.14.2-1.mga4 asterisk-plugins-voicemail-plain-11.14.2-1.mga4 asterisk-gui-11.14.2-1.mga4 from asterisk-11.14.2-1.mga4.src.rpm
CC: (none) => oeVersion: Cauldron => 4Blocks: 14674 => (none)Assignee: oe => qa-bugsWhiteboard: MGA4TOO => has_procedure
MGA4-64 on HP Probook 6555b KDE Followed PoC as in Comment 2, Commands seem to run OK.
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA4-64-OK
MGA-32 on AcerD620 Xfce Followed PoC as in Comment 2, Commands seem to run OK.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA-32-OK
This package requires intimate knowledge of its operation plus supporing hardware. It can only be insured that it initially installs, then updates, cleanly.
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 32-bit Package(s) under test: asterisk asterisk-firmware asterisk-plugins-pktccops libasteriskssl1 default install of asterisk-firmware asterisk-plugins-pktccops and libasteriskssl1 [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.1-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.1-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.1-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libasteriskssl1 Package libasteriskssl1-11.14.1-1.mga4.i586 is already installed install asterisk asterisk-firmware asterisk-plugins-pktccops and libasteriskssl1 from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.2-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.2-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.2-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libasteriskssl1 Package libasteriskssl1-11.14.2-1.mga4.i586 is already installed Packages install without errors Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
We usually ensure it works interactively Bill. Procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5
In VirtualBox, M4, KDE, 64-bit Package(s) under test: asterisk asterisk-firmware asterisk-plugins-pktccops lib64asteriskssl1 default install of asterisk-firmware asterisk-plugins-pktccops and lib64asteriskssl1 [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64asteriskssl1 Package lib64asteriskssl1-11.14.1-1.mga4.x86_64 is already installed [root@localhost wilcal]# asterisk -r Asterisk 11.14.1, Copyright (C) 1999 - 2013 Digium, Inc. and others. Created by Mark Spencer <markster@digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.... localhost*CLI> core show warranty NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES..... install asterisk asterisk-firmware asterisk-plugins-pktccops and lib64asteriskssl1 from updates_testing [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-firmware Package asterisk-firmware-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi asterisk-plugins-pktccops Package asterisk-plugins-pktccops-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi lib64asteriskssl1 Package lib64asteriskssl1-11.14.2-1.mga4.x86_64 is already installed Packages install without errors [root@localhost wilcal]# asterisk -r Asterisk 11.14.2, Copyright (C) 1999 - 2013 Digium, Inc. and others. Created by Mark Spencer <markster@digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.... localhost*CLI> core show warranty NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES..... Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 32-bit [root@localhost wilcal]# urpmi asterisk Package asterisk-11.14.2-1.mga4.x86_64 is already installed [root@localhost wilcal]# asterisk -r Asterisk 11.14.2, Copyright (C) 1999 - 2013 Digium, Inc. and others. Created by Mark Spencer <markster@digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.... localhost*CLI> core show warranty NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES..... Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA4-64-OK MGA-32-OK => has_procedure MGA4-64-OK MGA4-32-OK
Advisory uploaded.
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0010.html
Status: NEW => RESOLVEDResolution: (none) => FIXED