Asterisk: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201203-21 / Asterisk |
| Release Date |
March 28, 2012 |
| Latest Revision |
March 28, 2012: 1 |
| Impact |
high |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-misc/asterisk |
<
1.8.10.1 |
>=
1.8.10.1 |
All supported architectures
|
Related bugreports:
#408431
Synopsis
Multiple vulnerabilities have been found in Asterisk, the worst of
which may allow execution of arbitrary code.
2.
Impact Information
Background
Asterisk is an open source telephony engine and toolkit.
Description
Two vulnerabilities have been found in Asterisk:
- The "milliwatt_generate()" function in app_milliwatt.c is vulnerable
to a stack overrun (AST-2012-002).
- The "ast_parse_digest()" function in utils.c is vulnerable to a
stack-based buffer overflow (AST-2012-003).
Impact
A remote unauthenticated attacker could execute arbitrary code or cause
a Denial of Service condition.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All Asterisk users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.10.1"
|
4.
References
|
