-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:138 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : asterisk Date : July 11, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in asterisk: Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action (CVE-2014-4046). Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of service (connection consumption) via a large number of (1) inactive or (2) incomplete HTTP connections (CVE-2014-4047). The updated packages has been upgraded to the 11.11.0 version which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4046 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4047 http://downloads.asterisk.org/pub/security/AST-2014-006.html http://downloads.asterisk.org/pub/security/AST-2014-007.html http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.11.0-summary.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: e937dd2a5d9f6a67df27e4dd6454398f mbs1/x86_64/asterisk-11.11.0-1.mbs1.x86_64.rpm a85725b66368b25457533a4c3e877055 mbs1/x86_64/asterisk-addons-11.11.0-1.mbs1.x86_64.rpm ffdc1c8d1f292326e777200506b29f94 mbs1/x86_64/asterisk-devel-11.11.0-1.mbs1.x86_64.rpm 1b4fe1e6f4cfc0405cd9f43bc942ed91 mbs1/x86_64/asterisk-firmware-11.11.0-1.mbs1.x86_64.rpm f594da1396d28e51c6d784fb468f618a mbs1/x86_64/asterisk-gui-11.11.0-1.mbs1.x86_64.rpm 171e3ff869f721589b7a48b0081c6afc mbs1/x86_64/asterisk-plugins-alsa-11.11.0-1.mbs1.x86_64.rpm 1f48820459d336ae4dd483c2a6576227 mbs1/x86_64/asterisk-plugins-calendar-11.11.0-1.mbs1.x86_64.rpm 7b882ebbbc3417bf322b9234c623f781 mbs1/x86_64/asterisk-plugins-cel-11.11.0-1.mbs1.x86_64.rpm d7ce1a6e8eba5895fb08803c372eb285 mbs1/x86_64/asterisk-plugins-corosync-11.11.0-1.mbs1.x86_64.rpm c12c986e12a9ae1acefd1353f1c1c2da mbs1/x86_64/asterisk-plugins-curl-11.11.0-1.mbs1.x86_64.rpm 9afd8b3c8eb7f5f8a0575b49e25cf6b8 mbs1/x86_64/asterisk-plugins-dahdi-11.11.0-1.mbs1.x86_64.rpm 945fbfc96c1c86eea0f6748e23793bdf mbs1/x86_64/asterisk-plugins-fax-11.11.0-1.mbs1.x86_64.rpm 65be6c1cda3dcf1c5a6b2522a88ce61e mbs1/x86_64/asterisk-plugins-festival-11.11.0-1.mbs1.x86_64.rpm ca4d24b7d09bb0dd8f09fbd57c4e2e49 mbs1/x86_64/asterisk-plugins-ices-11.11.0-1.mbs1.x86_64.rpm 871cbd9c538462b999ea0ab4e706ecda mbs1/x86_64/asterisk-plugins-jabber-11.11.0-1.mbs1.x86_64.rpm 1c267d79e68ec6e6a446088dc213721b mbs1/x86_64/asterisk-plugins-jack-11.11.0-1.mbs1.x86_64.rpm 3a67da30600e5d3990b78160e067160f mbs1/x86_64/asterisk-plugins-ldap-11.11.0-1.mbs1.x86_64.rpm 12cd5d29582b4b876136a1cfa61002c6 mbs1/x86_64/asterisk-plugins-lua-11.11.0-1.mbs1.x86_64.rpm 15c973274e70c0fe71e56d92b43f8f71 mbs1/x86_64/asterisk-plugins-minivm-11.11.0-1.mbs1.x86_64.rpm a83fcc142030a10ff5c4bb88cb105214 mbs1/x86_64/asterisk-plugins-mobile-11.11.0-1.mbs1.x86_64.rpm a72a75d828dbfca4eeedb7435bdc63e6 mbs1/x86_64/asterisk-plugins-mp3-11.11.0-1.mbs1.x86_64.rpm d96a752e43350807ac4ff68b7466502c mbs1/x86_64/asterisk-plugins-mysql-11.11.0-1.mbs1.x86_64.rpm 4879f8e873b4ac4e422edc659cabadd3 mbs1/x86_64/asterisk-plugins-ooh323-11.11.0-1.mbs1.x86_64.rpm 2a92bc419c61f00040c318d237145cf1 mbs1/x86_64/asterisk-plugins-osp-11.11.0-1.mbs1.x86_64.rpm 856119d1c534646d70bada4e47a3bbdb mbs1/x86_64/asterisk-plugins-oss-11.11.0-1.mbs1.x86_64.rpm e30513f32093f40e53cc4cddc4b5d3ad mbs1/x86_64/asterisk-plugins-pgsql-11.11.0-1.mbs1.x86_64.rpm 8474c401e4a99e2ec78fed586ea29df7 mbs1/x86_64/asterisk-plugins-pktccops-11.11.0-1.mbs1.x86_64.rpm e81f8d782fc2b8b5cc46af2f74fc0f22 mbs1/x86_64/asterisk-plugins-portaudio-11.11.0-1.mbs1.x86_64.rpm e0b4ec334a8d767854491a3c60b45f6f mbs1/x86_64/asterisk-plugins-radius-11.11.0-1.mbs1.x86_64.rpm 617c199316459e7cbda7967f08216672 mbs1/x86_64/asterisk-plugins-saycountpl-11.11.0-1.mbs1.x86_64.rpm dde610fd41678c059933ccb323a250cd mbs1/x86_64/asterisk-plugins-skinny-11.11.0-1.mbs1.x86_64.rpm d4f765ec860ebdf55dbb518efd2b845c mbs1/x86_64/asterisk-plugins-snmp-11.11.0-1.mbs1.x86_64.rpm e31ed77900b96e46f9c2a42f0513187b mbs1/x86_64/asterisk-plugins-speex-11.11.0-1.mbs1.x86_64.rpm 3fdbeb88ba4e98996da0c9d81ebea36b mbs1/x86_64/asterisk-plugins-sqlite-11.11.0-1.mbs1.x86_64.rpm 350710fb047822f4c324b5ea59e8d739 mbs1/x86_64/asterisk-plugins-tds-11.11.0-1.mbs1.x86_64.rpm 81dcd84e21f072233117a229ea3bc562 mbs1/x86_64/asterisk-plugins-unistim-11.11.0-1.mbs1.x86_64.rpm 2b101c552b57f690a446df8113390704 mbs1/x86_64/asterisk-plugins-voicemail-11.11.0-1.mbs1.x86_64.rpm dd8c065364100baf3b96e934e20bfefc mbs1/x86_64/asterisk-plugins-voicemail-imap-11.11.0-1.mbs1.x86_64.rpm 85f0f40e43c629c88a29ccdd20c71b38 mbs1/x86_64/asterisk-plugins-voicemail-plain-11.11.0-1.mbs1.x86_64.rpm e9ae8fa821f0eeacf8eb22e2930a2ac3 mbs1/x86_64/lib64asteriskssl1-11.11.0-1.mbs1.x86_64.rpm 9a59a28dedab183fc986073f01f1349f mbs1/SRPMS/asterisk-11.11.0-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTwADlmqjQ0CJFipgRAua2AKDf0+x4jdGeFbFSm4nbib2x47rXNQCgt4fX I2hW2Up5RkUxYP2NaWrHvXc= =oJ2k -----END PGP SIGNATURE-----