Upstream has issued an advisory on September 8: http://downloads.asterisk.org/pub/security/AST-2016-007.html The issue is fixed in versions 11.23.1 and 13.11.1.
Whiteboard: (none) => MGA5TOO
mga5 updated to 11.23.1
CC: (none) => mageia
Thanks Nicolas! Package dropped for now from Cauldron. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=11094#c5 Advisory: ======================== Updated asterisk packages fixes security vulnerability: The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up (AST-2016-007). References: http://downloads.asterisk.org/pub/security/AST-2016-007.html ======================== Updated packages in core/updates_testing: ======================== asterisk-11.23.1-1.mga5 libasteriskssl1-11.23.1-1.mga5 asterisk-addons-11.23.1-1.mga5 asterisk-firmware-11.23.1-1.mga5 asterisk-devel-11.23.1-1.mga5 asterisk-plugins-corosync-11.23.1-1.mga5 asterisk-plugins-alsa-11.23.1-1.mga5 asterisk-plugins-calendar-11.23.1-1.mga5 asterisk-plugins-cel-11.23.1-1.mga5 asterisk-plugins-curl-11.23.1-1.mga5 asterisk-plugins-dahdi-11.23.1-1.mga5 asterisk-plugins-fax-11.23.1-1.mga5 asterisk-plugins-festival-11.23.1-1.mga5 asterisk-plugins-ices-11.23.1-1.mga5 asterisk-plugins-jabber-11.23.1-1.mga5 asterisk-plugins-jack-11.23.1-1.mga5 asterisk-plugins-lua-11.23.1-1.mga5 asterisk-plugins-ldap-11.23.1-1.mga5 asterisk-plugins-minivm-11.23.1-1.mga5 asterisk-plugins-mobile-11.23.1-1.mga5 asterisk-plugins-mp3-11.23.1-1.mga5 asterisk-plugins-mysql-11.23.1-1.mga5 asterisk-plugins-ooh323-11.23.1-1.mga5 asterisk-plugins-oss-11.23.1-1.mga5 asterisk-plugins-pktccops-11.23.1-1.mga5 asterisk-plugins-portaudio-11.23.1-1.mga5 asterisk-plugins-pgsql-11.23.1-1.mga5 asterisk-plugins-radius-11.23.1-1.mga5 asterisk-plugins-saycountpl-11.23.1-1.mga5 asterisk-plugins-skinny-11.23.1-1.mga5 asterisk-plugins-snmp-11.23.1-1.mga5 asterisk-plugins-speex-11.23.1-1.mga5 asterisk-plugins-sqlite-11.23.1-1.mga5 asterisk-plugins-tds-11.23.1-1.mga5 asterisk-plugins-osp-11.23.1-1.mga5 asterisk-plugins-unistim-11.23.1-1.mga5 asterisk-plugins-voicemail-11.23.1-1.mga5 asterisk-plugins-voicemail-imap-11.23.1-1.mga5 asterisk-plugins-voicemail-plain-11.23.1-1.mga5 asterisk-gui-11.23.1-1.mga5 from asterisk-11.23.1-1.mga5.src.rpm
Version: Cauldron => 5Assignee: oe => qa-bugsWhiteboard: MGA5TOO => (none)
Testing M5 x64 real hardware. BEFORE update: installed 'asterisk' which pulled in 10 packages, of which just 4 apply to this update: asterisk-11.21.2-1.mga5 asterisk-firmware-11.21.2-1.mga5 asterisk-plugins-pktccops-11.21.2-1.mga5 lib64asteriskssl1-11.21.2-1.mga5 There was a complaint about no user 'asterisk' nor group 'asterisk', so root would be necessary to run it. Suggesting that if these were pre-defined, they could be used instead. To fire up a controlling terminal, asterisk -cvvv produces a huge output; # asterisk -c[v] is sufficient. This terminates in a prompt: *CLI> Innocent asterisk commands to try are: help, core show help, timing test (or others from the list). From a *different* root terminal, to connect to the already running asterisk: # asterisk -r[v] The controlling terminal shows (with enough v's): -- Remote UNIX connection The connected terminal prompt is: <hostname>*CLI> All commands are available. Plus, for connected terminals, 'exit'. localhost*CLI> exit Asterisk cleanly ending (0). Executing last minute cleanups This shows on the controlling terminal (with enough v's): -- Remote UNIX connection disconnected # systemctl status asterisk â asterisk.service - Asterisk PBX and telephony daemon. Loaded: loaded (/usr/lib/systemd/system/asterisk.service; enabled) Active: inactive (dead) This output always seems to be the same, regardless. The controlling terminal has *no* exit or quit command, instead ^C: *CLI> Asterisk cleanly ending (0). Executing last minute cleanups A shutdown command available from both controlling & connected terminals: core stop gracefully # systemctl stop asterisk.service [in case, to apply the update] AFTER update, which was without incident: asterisk-11.23.1-1.mga5 asterisk-firmware-11.23.1-1.mga5 asterisk-plugins-pktccops-11.23.1-1.mga5 lib64asteriskssl1-11.23.1-1.mga5 All behaviour the same as before the update, EXCEPT that I noticed: core stop gracefully [whether from controlling or connected terminal] produced at the *controlling* terminal only: Segmentation fault I cannot find my equivalent test before the update; only the command from a connected terminal (-r) to asterisk already started: # asterisk Privilege escalation protection disabled! i.e. without a controlling terminal. I will re-try the original version for this tomorrow, to see whether it was always thus (= update OK) or is a reversion.
CC: (none) => lewyssmith
Continued from previous comment... I took out (updated) asterisk and its lib64, and re-installed them pre-update: asterisk-11.21.2-1.mga5 asterisk-firmware-11.21.2-1.mga5 asterisk-plugins-pktccops-11.21.2-1.mga5 lib64asteriskssl1-11.21.2-1.mga5 Fired up a controlling terminal: # asterisk -c ... *CLI> and a connected terminal: # asterisk -r ... localhost*CLI> I did this twice, first with 'core stop gracefully' from the connected terminal; second issued from the controlling terminal. Neither produced 'segmentation fault' on the controlling terminal as per post-upate. So this aspect of the update looks like a REVERSION, which may be unimportant.
Postscript on PRE-update asterisk. I found an obscure fault: if you fire up just a controlling terminal: # asterisk -c and end it with either ^C or 'core stop gracefully', its shell command prompt continues to function normally. If you then add a connected termial: # asterisk -r and terminate that with 'exit', still normal behaviour of the controlling terminal shell prompt (when you eventually get back to it). IF, however, you use 'core stop gracefully' from the connected terminal, that messes up the controlling terminal shell prompt: - Each one (<Enter>) follows on on the same line; - there is no command echoing - type blindly. However, output from the command appears. This happens ad infinitum despite re-starting asterisk -c. Only logging out/in restores normality. This at least seems to have been fixed by the update!
Whiteboard: (none) => feedback
Just tried asterisk 11.21.2-1 on a 64bit vbox and cannot reproduce this fault. It rings some distant bells but I cannot remember what were the circumstances. Anyway, currently, the fault is not there. Checked the command line on both terminals while they were both active, controlling terminal at shell prompt, then other terminal at shell prompt, then other terminal back to user, then other terminal closed. In all four cases the command line functioned normally. @lewis: Seems like your experience must have involved a special set of contingent circumstances. Most annoying when that happens.
CC: (none) => tarazed25
(In reply to Len Lawrence from comment #6) > Just tried asterisk 11.21.2-1 on a 64bit vbox and cannot reproduce this > fault > @lewis: Seems like your experience must have involved a special set of > contingent circumstances. Most annoying when that happens. Thanks Len for this follow-up. Accept both that it is a 'me special', and scarcely important anyway if it was solid. Hence am validating this update at last; advisory to follow.
Keywords: (none) => validated_updateWhiteboard: feedback => MGA5-64-OKCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0344.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/703987/
This is CVE-2016-7551: http://lwn.net/Vulnerabilities/704697/ According to: https://bugzilla.redhat.com/show_bug.cgi?id=1374733
Summary: asterisk new security issue AST-2016-007 => asterisk new security issue AST-2016-007 (CVE-2016-7551)