Upstream has issued an advisory on March 4: http://downloads.asterisk.org/pub/security/AST-2015-003.html The issue is fixed in 11.17.1. This update will also address this upstream advisory: http://downloads.asterisk.org/pub/security/AST-2015-002.html However, that is not a vulnerability for us as we have fixed curl already. Oden has committed the update in Mageia 4 and Cauldron SVN. Freeze push pending. Reproducible: Steps to Reproduce:
====================================================== Name: CVE-2015-3008 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3008 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20150408 Category: Reference: BUGTRAQ:20150408 AST-2015-003: TLS Certificate Common name NULL byte exploit Reference: URL:http://www.securityfocus.com/archive/1/archive/1/535222/100/0/threaded Reference: FULLDISC:20150408 AST-2015-003: TLS Certificate Common name NULL byte exploit Reference: URL:http://seclists.org/fulldisclosure/2015/Apr/22 Reference: MISC:http://packetstormsecurity.com/files/131364/Asterisk-Project-Security-Advisory-AST-2015-003.html Reference: CONFIRM:http://downloads.asterisk.org/pub/security/AST-2015-003.html Reference: SECTRACK:1032052 Reference: URL:http://www.securitytracker.com/id/1032052 Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CC: (none) => oe
Information for this update once it's pushed in Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 Advisory: ======================== Updated asterisk packages fix security vulnerability: When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected (CVE-2015-3008). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3008 http://downloads.asterisk.org/pub/security/AST-2015-003.html http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1 http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.17.1-summary.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.17.1-1.mga4 libasteriskssl1-11.17.1-1.mga4 asterisk-addons-11.17.1-1.mga4 asterisk-firmware-11.17.1-1.mga4 asterisk-devel-11.17.1-1.mga4 asterisk-plugins-corosync-11.17.1-1.mga4 asterisk-plugins-alsa-11.17.1-1.mga4 asterisk-plugins-calendar-11.17.1-1.mga4 asterisk-plugins-cel-11.17.1-1.mga4 asterisk-plugins-curl-11.17.1-1.mga4 asterisk-plugins-dahdi-11.17.1-1.mga4 asterisk-plugins-fax-11.17.1-1.mga4 asterisk-plugins-festival-11.17.1-1.mga4 asterisk-plugins-ices-11.17.1-1.mga4 asterisk-plugins-jabber-11.17.1-1.mga4 asterisk-plugins-jack-11.17.1-1.mga4 asterisk-plugins-lua-11.17.1-1.mga4 asterisk-plugins-ldap-11.17.1-1.mga4 asterisk-plugins-minivm-11.17.1-1.mga4 asterisk-plugins-mobile-11.17.1-1.mga4 asterisk-plugins-mp3-11.17.1-1.mga4 asterisk-plugins-mysql-11.17.1-1.mga4 asterisk-plugins-ooh323-11.17.1-1.mga4 asterisk-plugins-oss-11.17.1-1.mga4 asterisk-plugins-pktccops-11.17.1-1.mga4 asterisk-plugins-portaudio-11.17.1-1.mga4 asterisk-plugins-pgsql-11.17.1-1.mga4 asterisk-plugins-radius-11.17.1-1.mga4 asterisk-plugins-saycountpl-11.17.1-1.mga4 asterisk-plugins-skinny-11.17.1-1.mga4 asterisk-plugins-snmp-11.17.1-1.mga4 asterisk-plugins-speex-11.17.1-1.mga4 asterisk-plugins-sqlite-11.17.1-1.mga4 asterisk-plugins-tds-11.17.1-1.mga4 asterisk-plugins-osp-11.17.1-1.mga4 asterisk-plugins-unistim-11.17.1-1.mga4 asterisk-plugins-voicemail-11.17.1-1.mga4 asterisk-plugins-voicemail-imap-11.17.1-1.mga4 asterisk-plugins-voicemail-plain-11.17.1-1.mga4 asterisk-gui-11.17.1-1.mga4 from asterisk-11.17.1-1.mga4.src.rpm
Whiteboard: (none) => MGA5TOO, MGA4TOO
Finally pushed in Cauldron. Assigning to QA. See Comment 2 for all of the details.
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
Testing complete mga4 64 tested as per https://bugs.mageia.org/show_bug.cgi?id=11094#c5
Whiteboard: has_procedure => has_procedure mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0153.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/640414/