Upstream has issued advisories on February 3: http://downloads.asterisk.org/pub/security/AST-2016-001.html http://downloads.asterisk.org/pub/security/AST-2016-002.html Mageia 5 is also affected. The issues are fixed in versions 11.21.1 and 13.7.1. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
URL: (none) => http://lwn.net/Vulnerabilities/676089/
Packages has been submitted.
Looks like it was only submitted in mga5 and the build failed.
Fixed now
Information for this update once it's pushed in Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 Advisory: ======================== Updated asterisk packages fix security vulnerability: chan_sip in Asterisk Open Source 11.x before 11.21.1, when the timert1 sip.conf configuration is set to a value greater than 1245, allows remote attackers to cause a denial of service (file descriptor consumption) via vectors related to large retransmit timeout values (CVE-2016-2316). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2316 http://downloads.asterisk.org/pub/security/AST-2016-002.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.21.2-1.mga5 libasteriskssl1-11.21.2-1.mga5 asterisk-addons-11.21.2-1.mga5 asterisk-firmware-11.21.2-1.mga5 asterisk-devel-11.21.2-1.mga5 asterisk-plugins-corosync-11.21.2-1.mga5 asterisk-plugins-alsa-11.21.2-1.mga5 asterisk-plugins-calendar-11.21.2-1.mga5 asterisk-plugins-cel-11.21.2-1.mga5 asterisk-plugins-curl-11.21.2-1.mga5 asterisk-plugins-dahdi-11.21.2-1.mga5 asterisk-plugins-fax-11.21.2-1.mga5 asterisk-plugins-festival-11.21.2-1.mga5 asterisk-plugins-ices-11.21.2-1.mga5 asterisk-plugins-jabber-11.21.2-1.mga5 asterisk-plugins-jack-11.21.2-1.mga5 asterisk-plugins-lua-11.21.2-1.mga5 asterisk-plugins-ldap-11.21.2-1.mga5 asterisk-plugins-minivm-11.21.2-1.mga5 asterisk-plugins-mobile-11.21.2-1.mga5 asterisk-plugins-mp3-11.21.2-1.mga5 asterisk-plugins-mysql-11.21.2-1.mga5 asterisk-plugins-ooh323-11.21.2-1.mga5 asterisk-plugins-oss-11.21.2-1.mga5 asterisk-plugins-pktccops-11.21.2-1.mga5 asterisk-plugins-portaudio-11.21.2-1.mga5 asterisk-plugins-pgsql-11.21.2-1.mga5 asterisk-plugins-radius-11.21.2-1.mga5 asterisk-plugins-saycountpl-11.21.2-1.mga5 asterisk-plugins-skinny-11.21.2-1.mga5 asterisk-plugins-snmp-11.21.2-1.mga5 asterisk-plugins-speex-11.21.2-1.mga5 asterisk-plugins-sqlite-11.21.2-1.mga5 asterisk-plugins-tds-11.21.2-1.mga5 asterisk-plugins-osp-11.21.2-1.mga5 asterisk-plugins-unistim-11.21.2-1.mga5 asterisk-plugins-voicemail-11.21.2-1.mga5 asterisk-plugins-voicemail-imap-11.21.2-1.mga5 asterisk-plugins-voicemail-plain-11.21.2-1.mga5 asterisk-gui-11.21.2-1.mga5 from asterisk-11.21.2-1.mga5.src.rpm
Whiteboard: MGA5TOO => has_procedureSeverity: normal => major
Fixed in Cauldron now by Oden. Thanks! Assigning to QA. Advisory, packages, and procedure in Comment 4.
CC: (none) => oeVersion: Cauldron => 5Assignee: oe => qa-bugs
Testing this on x86_64.
CC: (none) => tarazed25
mga5 x86_64 Mate Installed asterisk. Pulled in: asterisk-core-sounds-en 1.4.22 5.mga5 noarch asterisk-firmware 11.17.1 1.mga5 x86_64 asterisk-moh-opsound 20091226 5.mga5 noarch asterisk-plugins-pktccops 11.17.1 1.mga5 x86_64 lib64asteriskssl1 11.17.1 1.mga5 x86_64 lib64iksemel3 1.4 7.mga5 x86_64 lib64ilbc0 1.1.1 5.mga5 x86_64 lib64nbs1 1.0 0.20040615.5> x86_64 asterisk-addons: asterisk-plugins-mp3 11.17.1 1.mga5 x86_64 asterisk-plugins-mysql 11.17.1 1.mga5 x86_64 asterisk-plugins-ooh323 11.17.1 1.mga5 x86_64 asterisk-plugins-saycountpl 11.17.1 1.mga5 x86_64 Installed the rest of the packages singly. Ran the test recommended in comment #4. After updating: All the packages installed cleanly. I forgot to stop the previous instance of asterisk started before the updates. [root@vega asterisk]# asterisk -vvvc Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Asterisk already running on /run/asterisk/asterisk.ctl. Use 'asterisk -r' to connect. [1]+ Done emacs -background white -foreground black -u lcl "$1" [root@vega asterisk]# systemctl status asterisk.service รข asterisk.service - Asterisk PBX and telephony daemon. Loaded: loaded (/usr/lib/systemd/system/asterisk.service; enabled) Active: inactive (dead) [root@vega asterisk]# systemctl disable asterisk.service Removed symlink /etc/systemd/system/multi-user.target.wants/asterisk.service. [root@vega asterisk]# systemctl stop asterisk.service Neither of those commands helped so it was over to the kill command. Things worked fine after that. At the CLI prompt tried 'timing test' because it looked safe. And it is true, there is no exit or quit command so use Ctrl C. This does actually kill asterisk. If you run the procedure in a terminal with a white or pale background it id advisable to use the -B commandline option which temporarily switches to a dark background. This behaviour can be made permanent by editing /etc/asterix/asterix.conf. I tried both approaches and they both worked. Tested access from another terminal while the initial instance was running: [root@vega lcl]# asterisk -r < ------- snipped --------- > Connected to Asterisk 11.21.2 currently running on vega (pid = 21444) vega*CLI>
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Not sure about the Ctrl C business now. Disconnected from the original instance with Ctrl C but found that the asterisk server was still running. It could still be accessed "remotely". And strangely enough the exit command worked in the other terminal: vega*CLI> exit Asterisk cleanly ending (0). Executing last minute cleanups [root@vega lcl]# vega*CLI> core show help exit No such command 'exit'. vega*CLI> core show help kill No such command 'kill'. vega*CLI> core show help quit No such command 'quit'. vega*CLI> exit Asterisk cleanly ending (0). Executing last minute cleanups [lcl@vega ~]$ Never mind.
mga5 i586 virtualbox Mate Installed all the asterisk packages then updated them from updates/testing. All installed cleanly. Invoked asterisk under root and ran the simple tests. Checked that the -B option worked and accessed the asterix server from another root terminal. After exiting the original session could get back to the server using 'asterisk -r'. Validating this update. Could someone from sysadmin please push it to updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0086.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
We also fixed CVE-2016-2232 in this update: http://downloads.asterisk.org/pub/security/AST-2016-003.html LWN reference: http://lwn.net/Vulnerabilities/704697/