Asterisk: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201209-15 / asterisk |
| Release Date |
September 26, 2012 |
| Latest Revision |
September 26, 2012: 1 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-misc/asterisk |
<
1.8.15.1 |
>=
1.8.15.1 |
All supported architectures
|
Related bugreports:
#425050, #433750
Synopsis
Multiple vulnerabilities have been found in Asterisk, the worst of
which may allow execution of arbitrary code.
2.
Impact Information
Background
Asterisk is an open source telephony engine and toolkit.
Description
Multiple vulnerabilities have been found in Asterisk:
- An error in manager.c allows shell access (CVE-2012-2186).
- An error in Asterisk could cause all RTP ports to be exhausted
(CVE-2012-3812).
- A double-free error could occur when two parties attempt to
manipulate the same voicemail account simultaneously (CVE-2012-3863).
- Asterisk does not properly implement certain ACL rules
(CVE-2012-4737).
Impact
A remote, authenticated attacker could execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, or bypass
outbound call restrictions.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All Asterisk users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.15.1"
|
4.
References
|
