Mandriva Linux Security Advisory 2014-138 - Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action. Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of service inactive or incomplete HTTP connections. The updated packages has been upgraded to the 11.11.0 version which is not vulnerable to these issues.
d0b6e36b5ffeb369a37f9f40b9aca3279792173c43c84fd7774bdaa4ea81c34b
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:138
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : asterisk
Date : July 11, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in asterisk:
Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and
Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated
Manager users to execute arbitrary shell commands via a MixMonitor
action (CVE-2014-4046).
Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and
12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6
and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of
service (connection consumption) via a large number of (1) inactive or
(2) incomplete HTTP connections (CVE-2014-4047).
The updated packages has been upgraded to the 11.11.0 version which
is not vulnerable to these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4047
http://downloads.asterisk.org/pub/security/AST-2014-006.html
http://downloads.asterisk.org/pub/security/AST-2014-007.html
http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.11.0-summary.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
e937dd2a5d9f6a67df27e4dd6454398f mbs1/x86_64/asterisk-11.11.0-1.mbs1.x86_64.rpm
a85725b66368b25457533a4c3e877055 mbs1/x86_64/asterisk-addons-11.11.0-1.mbs1.x86_64.rpm
ffdc1c8d1f292326e777200506b29f94 mbs1/x86_64/asterisk-devel-11.11.0-1.mbs1.x86_64.rpm
1b4fe1e6f4cfc0405cd9f43bc942ed91 mbs1/x86_64/asterisk-firmware-11.11.0-1.mbs1.x86_64.rpm
f594da1396d28e51c6d784fb468f618a mbs1/x86_64/asterisk-gui-11.11.0-1.mbs1.x86_64.rpm
171e3ff869f721589b7a48b0081c6afc mbs1/x86_64/asterisk-plugins-alsa-11.11.0-1.mbs1.x86_64.rpm
1f48820459d336ae4dd483c2a6576227 mbs1/x86_64/asterisk-plugins-calendar-11.11.0-1.mbs1.x86_64.rpm
7b882ebbbc3417bf322b9234c623f781 mbs1/x86_64/asterisk-plugins-cel-11.11.0-1.mbs1.x86_64.rpm
d7ce1a6e8eba5895fb08803c372eb285 mbs1/x86_64/asterisk-plugins-corosync-11.11.0-1.mbs1.x86_64.rpm
c12c986e12a9ae1acefd1353f1c1c2da mbs1/x86_64/asterisk-plugins-curl-11.11.0-1.mbs1.x86_64.rpm
9afd8b3c8eb7f5f8a0575b49e25cf6b8 mbs1/x86_64/asterisk-plugins-dahdi-11.11.0-1.mbs1.x86_64.rpm
945fbfc96c1c86eea0f6748e23793bdf mbs1/x86_64/asterisk-plugins-fax-11.11.0-1.mbs1.x86_64.rpm
65be6c1cda3dcf1c5a6b2522a88ce61e mbs1/x86_64/asterisk-plugins-festival-11.11.0-1.mbs1.x86_64.rpm
ca4d24b7d09bb0dd8f09fbd57c4e2e49 mbs1/x86_64/asterisk-plugins-ices-11.11.0-1.mbs1.x86_64.rpm
871cbd9c538462b999ea0ab4e706ecda mbs1/x86_64/asterisk-plugins-jabber-11.11.0-1.mbs1.x86_64.rpm
1c267d79e68ec6e6a446088dc213721b mbs1/x86_64/asterisk-plugins-jack-11.11.0-1.mbs1.x86_64.rpm
3a67da30600e5d3990b78160e067160f mbs1/x86_64/asterisk-plugins-ldap-11.11.0-1.mbs1.x86_64.rpm
12cd5d29582b4b876136a1cfa61002c6 mbs1/x86_64/asterisk-plugins-lua-11.11.0-1.mbs1.x86_64.rpm
15c973274e70c0fe71e56d92b43f8f71 mbs1/x86_64/asterisk-plugins-minivm-11.11.0-1.mbs1.x86_64.rpm
a83fcc142030a10ff5c4bb88cb105214 mbs1/x86_64/asterisk-plugins-mobile-11.11.0-1.mbs1.x86_64.rpm
a72a75d828dbfca4eeedb7435bdc63e6 mbs1/x86_64/asterisk-plugins-mp3-11.11.0-1.mbs1.x86_64.rpm
d96a752e43350807ac4ff68b7466502c mbs1/x86_64/asterisk-plugins-mysql-11.11.0-1.mbs1.x86_64.rpm
4879f8e873b4ac4e422edc659cabadd3 mbs1/x86_64/asterisk-plugins-ooh323-11.11.0-1.mbs1.x86_64.rpm
2a92bc419c61f00040c318d237145cf1 mbs1/x86_64/asterisk-plugins-osp-11.11.0-1.mbs1.x86_64.rpm
856119d1c534646d70bada4e47a3bbdb mbs1/x86_64/asterisk-plugins-oss-11.11.0-1.mbs1.x86_64.rpm
e30513f32093f40e53cc4cddc4b5d3ad mbs1/x86_64/asterisk-plugins-pgsql-11.11.0-1.mbs1.x86_64.rpm
8474c401e4a99e2ec78fed586ea29df7 mbs1/x86_64/asterisk-plugins-pktccops-11.11.0-1.mbs1.x86_64.rpm
e81f8d782fc2b8b5cc46af2f74fc0f22 mbs1/x86_64/asterisk-plugins-portaudio-11.11.0-1.mbs1.x86_64.rpm
e0b4ec334a8d767854491a3c60b45f6f mbs1/x86_64/asterisk-plugins-radius-11.11.0-1.mbs1.x86_64.rpm
617c199316459e7cbda7967f08216672 mbs1/x86_64/asterisk-plugins-saycountpl-11.11.0-1.mbs1.x86_64.rpm
dde610fd41678c059933ccb323a250cd mbs1/x86_64/asterisk-plugins-skinny-11.11.0-1.mbs1.x86_64.rpm
d4f765ec860ebdf55dbb518efd2b845c mbs1/x86_64/asterisk-plugins-snmp-11.11.0-1.mbs1.x86_64.rpm
e31ed77900b96e46f9c2a42f0513187b mbs1/x86_64/asterisk-plugins-speex-11.11.0-1.mbs1.x86_64.rpm
3fdbeb88ba4e98996da0c9d81ebea36b mbs1/x86_64/asterisk-plugins-sqlite-11.11.0-1.mbs1.x86_64.rpm
350710fb047822f4c324b5ea59e8d739 mbs1/x86_64/asterisk-plugins-tds-11.11.0-1.mbs1.x86_64.rpm
81dcd84e21f072233117a229ea3bc562 mbs1/x86_64/asterisk-plugins-unistim-11.11.0-1.mbs1.x86_64.rpm
2b101c552b57f690a446df8113390704 mbs1/x86_64/asterisk-plugins-voicemail-11.11.0-1.mbs1.x86_64.rpm
dd8c065364100baf3b96e934e20bfefc mbs1/x86_64/asterisk-plugins-voicemail-imap-11.11.0-1.mbs1.x86_64.rpm
85f0f40e43c629c88a29ccdd20c71b38 mbs1/x86_64/asterisk-plugins-voicemail-plain-11.11.0-1.mbs1.x86_64.rpm
e9ae8fa821f0eeacf8eb22e2930a2ac3 mbs1/x86_64/lib64asteriskssl1-11.11.0-1.mbs1.x86_64.rpm
9a59a28dedab183fc986073f01f1349f mbs1/SRPMS/asterisk-11.11.0-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFTwADlmqjQ0CJFipgRAua2AKDf0+x4jdGeFbFSm4nbib2x47rXNQCgt4fX
I2hW2Up5RkUxYP2NaWrHvXc=
=oJ2k
-----END PGP SIGNATURE-----