Debian Bug report logs - #732355
asterisk: Two Asterisk security issues

version graph

Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>; Source for asterisk is src:asterisk.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 17 Dec 2013 06:45:01 UTC

Severity: grave

Tags: security

Fixed in versions asterisk/1:11.7.0~dfsg-1, asterisk/1:1.6.2.9-2+squeeze12

Done: Tzafrir Cohen <tzafrir@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#732355; Package asterisk. (Tue, 17 Dec 2013 06:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Tue, 17 Dec 2013 06:45:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: asterisk: Two Asterisk security issues
Date: Tue, 17 Dec 2013 07:33:53 +0100
Package: asterisk
Severity: grave
Tags: security

Hi,
please see
http://downloads.asterisk.org/pub/security/AST-2013-006.html and
http://downloads.asterisk.org/pub/security/AST-2013-007.html

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#732355; Package asterisk. (Tue, 17 Dec 2013 16:09:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Tue, 17 Dec 2013 16:09:12 GMT) Full text and rfc822 format available.

Message #10 received at 732355@bugs.debian.org (full text, mbox):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
To: Moritz Muehlenhoff <jmm@inutil.org>, 732355@bugs.debian.org
Subject: Re: Bug#732355: asterisk: Two Asterisk security issues
Date: Tue, 17 Dec 2013 17:55:14 +0200
On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote:
> Package: asterisk
> Severity: grave
> Tags: security
> 
> Hi,
> please see
> http://downloads.asterisk.org/pub/security/AST-2013-006.html and
> http://downloads.asterisk.org/pub/security/AST-2013-007.html

Looking at them. At first glance: both of them also affect 1.6.2 from
old-stable. AST-2013-007 introduces a new configuration item and we have
to see what the sane default for it should be.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com



Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#732355; Package asterisk. (Tue, 17 Dec 2013 17:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Tue, 17 Dec 2013 17:27:04 GMT) Full text and rfc822 format available.

Message #15 received at 732355@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Cc: 732355@bugs.debian.org
Subject: Re: Bug#732355: asterisk: Two Asterisk security issues
Date: Tue, 17 Dec 2013 18:17:09 +0100
On Tue, Dec 17, 2013 at 05:55:14PM +0200, Tzafrir Cohen wrote:
> On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > please see
> > http://downloads.asterisk.org/pub/security/AST-2013-006.html and
> > http://downloads.asterisk.org/pub/security/AST-2013-007.html
> 
> Looking at them. At first glance: both of them also affect 1.6.2 from
> old-stable. AST-2013-007 introduces a new configuration item and we have
> to see what the sane default for it should be.

I think we should follow upstream and keep live_dangerously activated
We can add a note to the advisory what setting must be tweaked.

Cheers,
        Moritz



Reply sent to Jeremy Lainé <jeremy.laine@m4x.org>:
You have taken responsibility. (Wed, 18 Dec 2013 09:21:10 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 18 Dec 2013 09:21:10 GMT) Full text and rfc822 format available.

Message #20 received at 732355-close@bugs.debian.org (full text, mbox):

From: Jeremy Lainé <jeremy.laine@m4x.org>
To: 732355-close@bugs.debian.org
Subject: Bug#732355: fixed in asterisk 1:11.7.0~dfsg-1
Date: Wed, 18 Dec 2013 09:19:36 +0000
Source: asterisk
Source-Version: 1:11.7.0~dfsg-1

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 732355@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Lainé <jeremy.laine@m4x.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 18 Dec 2013 09:47:58 +0100
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source amd64 all
Version: 1:11.7.0~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Lainé <jeremy.laine@m4x.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
 asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 732355 732419
Changes: 
 asterisk (1:11.7.0~dfsg-1) unstable; urgency=high
 .
   * New upstream security release (Closes: #732355).
     - Drop astdb_mans patch, fixed upstream.
   * Fix versioned Breaks/Replaces for asterisk-dahdi (Closes: #732419).
Checksums-Sha1: 
 5eb0cb9cbe482380fb3dd4c61536bec63e96797d 3166 asterisk_11.7.0~dfsg-1.dsc
 bb36fab9a228ef8264d2f46bcf1a8edd1bdda257 8179322 asterisk_11.7.0~dfsg.orig.tar.gz
 542968c97b00ecb5e8699f458d0ed26753f940bd 111372 asterisk_11.7.0~dfsg-1.debian.tar.gz
 fa383a705b92bc61de815289b247c75773000dbc 1442150 asterisk_11.7.0~dfsg-1_amd64.deb
 48751c38e55d3390dc18e173a450cc5f40587f66 2020882 asterisk-modules_11.7.0~dfsg-1_amd64.deb
 687ceb2287c5d23cd7082f823a768868e55c1427 636714 asterisk-dahdi_11.7.0~dfsg-1_amd64.deb
 b27e365388eac64ad176baccf5fde45277fe0ef1 446608 asterisk-vpb_11.7.0~dfsg-1_amd64.deb
 151a9c4583870dd63391cb29b8211fbd48be7568 501832 asterisk-voicemail_11.7.0~dfsg-1_amd64.deb
 b39b371a310264e797aeacaeb185f37026aff1bd 517512 asterisk-voicemail-imapstorage_11.7.0~dfsg-1_amd64.deb
 a3f4036cfa4a06ec2c567e34c9382a4acc665591 507350 asterisk-voicemail-odbcstorage_11.7.0~dfsg-1_amd64.deb
 7c8296370cf1df7e95c9c21cedf7005f2c0bc878 755028 asterisk-ooh323_11.7.0~dfsg-1_amd64.deb
 2bcf4cc5dde0eaf908c2ae03cb92486e820dd6e7 443416 asterisk-mp3_11.7.0~dfsg-1_amd64.deb
 92d89ae03d76809048de08da95f9fffcd172e697 460502 asterisk-mysql_11.7.0~dfsg-1_amd64.deb
 876c8bb548532e130420330c54692b2573a37e57 453380 asterisk-mobile_11.7.0~dfsg-1_amd64.deb
 b7cc251b09de2faf05698700d7e7643e6f15ca01 2292960 asterisk-doc_11.7.0~dfsg-1_all.deb
 ca6707477ca520fa890375cae2c62b82902d0fbf 730150 asterisk-dev_11.7.0~dfsg-1_all.deb
 9ba36821660b38bcb9ad08729137c0df8f27e144 12738066 asterisk-dbg_11.7.0~dfsg-1_amd64.deb
 e1318c4f2b9cae48307ae848609d35dbeb4d30dc 773046 asterisk-config_11.7.0~dfsg-1_all.deb
Checksums-Sha256: 
 b3afdfb287e5d5dbed9a16c2f1d28dcfbe699e5c8fdde94b673fe722719d9fc8 3166 asterisk_11.7.0~dfsg-1.dsc
 4a9c4a24383f1c3dfb61d09ff34e607c4c4f62d7269b43bfbe0c84ba475af40c 8179322 asterisk_11.7.0~dfsg.orig.tar.gz
 bed76305893de857d6d8e82d098ee789e4f0e2574e33f1c14701f3f1c088b5bc 111372 asterisk_11.7.0~dfsg-1.debian.tar.gz
 db6495d8666dbebe90b28d335ce0b94a6a3cb618862c1a93f0f90ca8d774aeba 1442150 asterisk_11.7.0~dfsg-1_amd64.deb
 4d033be58f45e1e98800c5949d9a9b93ed1f688222fe34c03b1efe56c57d5f42 2020882 asterisk-modules_11.7.0~dfsg-1_amd64.deb
 9bfd010baa7e40d074f52744a89da44e36a04f037df0d38e27deab6604de79bd 636714 asterisk-dahdi_11.7.0~dfsg-1_amd64.deb
 9a1e83d5965bb9dd52753f612557fbafd8f9248844d3502c9d42494e958debb0 446608 asterisk-vpb_11.7.0~dfsg-1_amd64.deb
 9f33ac2b418b63ceb15513356dac19775b24fd698ed2d66552f21200fc86c2a5 501832 asterisk-voicemail_11.7.0~dfsg-1_amd64.deb
 95ebbd3d90b589920d1c3b29a1217f95c6e3ca423f3f7884ca664308879c6103 517512 asterisk-voicemail-imapstorage_11.7.0~dfsg-1_amd64.deb
 b4b98d9790bfd315d99b54289ca4789f8feac6630395abed59d8732fe3b28934 507350 asterisk-voicemail-odbcstorage_11.7.0~dfsg-1_amd64.deb
 99a3bd4f4b62d391b281f031866a4a793cd0b979df6b66c576fa7f6ae64b7f14 755028 asterisk-ooh323_11.7.0~dfsg-1_amd64.deb
 10cd92d854c9eb880de7ee51c1700c9eeb175f11eced1caa659e6376222313e4 443416 asterisk-mp3_11.7.0~dfsg-1_amd64.deb
 e0eacbd1d3f9a1015889c681d9d8c0b5dc3e5deb1726bd8350f5adfcececa14b 460502 asterisk-mysql_11.7.0~dfsg-1_amd64.deb
 34b5fceda911ccef4e14bfb33fd580eb2c86629e59ec0dbbee8b796d1038326e 453380 asterisk-mobile_11.7.0~dfsg-1_amd64.deb
 3879588db60fc1e3c23e6519a4fed339425d07e8bb60e1d45a8a52b897b532c0 2292960 asterisk-doc_11.7.0~dfsg-1_all.deb
 6206a6bf16cc9d24af1c9d5036229b29a11636c5d34d89991756e6d1bc17fdcc 730150 asterisk-dev_11.7.0~dfsg-1_all.deb
 2e800baa13459f3fc1f6d6394b84ee9ab4c563b71600447002ebf4a298f790d5 12738066 asterisk-dbg_11.7.0~dfsg-1_amd64.deb
 5f82b98cffde163f97663d566d16969eb88f2292daa652064707464b0e378f42 773046 asterisk-config_11.7.0~dfsg-1_all.deb
Files: 
 29e4a7f47fb3096319c324becc851363 3166 comm optional asterisk_11.7.0~dfsg-1.dsc
 21eb97a76bd82fd80bc743db9c2e36f1 8179322 comm optional asterisk_11.7.0~dfsg.orig.tar.gz
 88d430b5e20de04f211b0da5dcf8850e 111372 comm optional asterisk_11.7.0~dfsg-1.debian.tar.gz
 cb62797fdb5003505bf0b13a5515c8ca 1442150 comm optional asterisk_11.7.0~dfsg-1_amd64.deb
 2b69d591747b818976593a800b4042f4 2020882 libs optional asterisk-modules_11.7.0~dfsg-1_amd64.deb
 d5e1eb28c32b23fe5414ea632b2d0b6f 636714 comm optional asterisk-dahdi_11.7.0~dfsg-1_amd64.deb
 6ee91a86804e18a7e7fbdbf111cb4646 446608 comm optional asterisk-vpb_11.7.0~dfsg-1_amd64.deb
 e187e3c0736318edd72d6edece20fc43 501832 comm optional asterisk-voicemail_11.7.0~dfsg-1_amd64.deb
 b41e5388f8c67dd70258fbdd67404e3f 517512 comm optional asterisk-voicemail-imapstorage_11.7.0~dfsg-1_amd64.deb
 81ce3667a6a2bb431bfc23aa219023e4 507350 comm optional asterisk-voicemail-odbcstorage_11.7.0~dfsg-1_amd64.deb
 cb57622cae970fe3176a706f63d64026 755028 comm optional asterisk-ooh323_11.7.0~dfsg-1_amd64.deb
 bd26776011431127258529defeb87fb5 443416 comm optional asterisk-mp3_11.7.0~dfsg-1_amd64.deb
 f30be9003fbc269a2b7b1c37dc636f53 460502 comm optional asterisk-mysql_11.7.0~dfsg-1_amd64.deb
 ebbb6de95df1ead205d3b3a8983ebddd 453380 comm optional asterisk-mobile_11.7.0~dfsg-1_amd64.deb
 d9347b56f19c73513c205c165810328a 2292960 doc extra asterisk-doc_11.7.0~dfsg-1_all.deb
 6e7616bbf1ac2eb2ea0a5e35d8088dbc 730150 devel extra asterisk-dev_11.7.0~dfsg-1_all.deb
 8e9d10916cb40b6300855d41e1e48c2c 12738066 debug extra asterisk-dbg_11.7.0~dfsg-1_amd64.deb
 e553d146ffdc7af5c00c38305cd0d017 773046 comm optional asterisk-config_11.7.0~dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKxZM0ACgkQ4mJJZqJp2ScRBwCbBcz4BjVIxMYDIhmD7WAs3ZLP
EPIAniFMCSVUWQD2gBSJ6VPRwm9EdO3i
=Q+ab
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#732355; Package asterisk. (Fri, 20 Dec 2013 13:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 20 Dec 2013 13:15:04 GMT) Full text and rfc822 format available.

Message #25 received at 732355@bugs.debian.org (full text, mbox):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 732355@bugs.debian.org
Subject: Re: Bug#732355: asterisk: Two Asterisk security issues
Date: Fri, 20 Dec 2013 15:12:05 +0200
On Tue, Dec 17, 2013 at 06:17:09PM +0100, Moritz Muehlenhoff wrote:
> On Tue, Dec 17, 2013 at 05:55:14PM +0200, Tzafrir Cohen wrote:
> > On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security
> > > 
> > > Hi,
> > > please see
> > > http://downloads.asterisk.org/pub/security/AST-2013-006.html and
> > > http://downloads.asterisk.org/pub/security/AST-2013-007.html
> > 
> > Looking at them. At first glance: both of them also affect 1.6.2 from
> > old-stable. AST-2013-007 introduces a new configuration item and we have
> > to see what the sane default for it should be.
> 
> I think we should follow upstream and keep live_dangerously activated
> We can add a note to the advisory what setting must be tweaked.

Attached are debdiffs for oldstable and stable uploads. I couldn't find
CVE entries.

I added an extra bug fix to help me patch the issue, for a bug that is
marginally a remote crash bug:
https://issues.asterisk.org/jira/browse/ASTERISK-20658
(Asterisk Realtime means getting some of Asterisk's configuration from a
database)


More on AST-2013-007:

(maybe shorten it a bit?)

Asterisk employs in its dialplan and varois other places a syntax for
varable expantion: ${VAR} expands the value of ${VAR}. Similarly there
are also some functions that use a similar syntax: ${RANDOM(5)} or 
${CUT(20-30-40,-,2)}. Some are more potent, however such as SHELL
(run a shell command and return the output).

The variables were primarily meant for the Asterisk dialplan, but may be
accessed through several other interfaces. For instance, the AMI
(Asterisk Manager Interface) provides a GetVar command. This will also
expand functions.

With the fix for AST-2013-007, a new knob was added in order to allow
the system adminitrator to disable expantion of "dangerous" functions
(such as SHELL()) from any interface which is not the dialplan. In
Stable and Oldstable this knob is disabled by default. To enable it add
the following line to the section '[options]' in
/etc/asterisk/asterisk.conf (and restart asterisk)

  live_dangerously = no

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com



Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#732355; Package asterisk. (Fri, 20 Dec 2013 13:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 20 Dec 2013 13:18:04 GMT) Full text and rfc822 format available.

Message #30 received at 732355@bugs.debian.org (full text, mbox):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 732355@bugs.debian.org
Subject: Re: Bug#732355: asterisk: Two Asterisk security issues
Date: Fri, 20 Dec 2013 15:14:00 +0200
[Message part 1 (text/plain, inline)]
On Tue, Dec 17, 2013 at 06:17:09PM +0100, Moritz Muehlenhoff wrote:
> On Tue, Dec 17, 2013 at 05:55:14PM +0200, Tzafrir Cohen wrote:
> > On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security
> > > 
> > > Hi,
> > > please see
> > > http://downloads.asterisk.org/pub/security/AST-2013-006.html and
> > > http://downloads.asterisk.org/pub/security/AST-2013-007.html
> > 
> > Looking at them. At first glance: both of them also affect 1.6.2 from
> > old-stable. AST-2013-007 introduces a new configuration item and we have
> > to see what the sane default for it should be.
> 
> I think we should follow upstream and keep live_dangerously activated
> We can add a note to the advisory what setting must be tweaked.

Attached are debdiffs for oldstable and stable uploads. I couldn't find
CVE entries.

I added an extra bug fix to help me patch the issue, for a bug that is
marginally a remote crash bug:
https://issues.asterisk.org/jira/browse/ASTERISK-20658
(Asterisk Realtime means getting some of Asterisk's configuration from a
database)


More on AST-2013-007:

(maybe shorten it a bit?)

Asterisk employs in its dialplan and varois other places a syntax for
varable expantion: ${VAR} expands the value of ${VAR}. Similarly there
are also some functions that use a similar syntax: ${RANDOM(5)} or 
${CUT(20-30-40,-,2)}. Some are more potent, however such as SHELL
(run a shell command and return the output).

The variables were primarily meant for the Asterisk dialplan, but may be
accessed through several other interfaces. For instance, the AMI
(Asterisk Manager Interface) provides a GetVar command. This will also
expand functions.

With the fix for AST-2013-007, a new knob was added in order to allow
the system adminitrator to disable expantion of "dangerous" functions
(such as SHELL()) from any interface which is not the dialplan. In
Stable and Oldstable this knob is disabled by default. To enable it add
the following line to the section '[options]' in
/etc/asterisk/asterisk.conf (and restart asterisk)

  live_dangerously = no

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com
[asterisk_1.8.13.1~dfsg-3+deb7u2.debdiff (text/plain, attachment)]
[asterisk_1.6.2.9-2+squeeze12.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#732355; Package asterisk. (Fri, 20 Dec 2013 14:45:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Fri, 20 Dec 2013 14:45:15 GMT) Full text and rfc822 format available.

Message #35 received at 732355@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Cc: 732355@bugs.debian.org
Subject: Re: Bug#732355: asterisk: Two Asterisk security issues
Date: Fri, 20 Dec 2013 15:34:45 +0100
On Fri, Dec 20, 2013 at 03:14:00PM +0200, Tzafrir Cohen wrote:
> On Tue, Dec 17, 2013 at 06:17:09PM +0100, Moritz Muehlenhoff wrote:
> > On Tue, Dec 17, 2013 at 05:55:14PM +0200, Tzafrir Cohen wrote:
> > > On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > Hi,
> > > > please see
> > > > http://downloads.asterisk.org/pub/security/AST-2013-006.html and
> > > > http://downloads.asterisk.org/pub/security/AST-2013-007.html
> > > 
> > > Looking at them. At first glance: both of them also affect 1.6.2 from
> > > old-stable. AST-2013-007 introduces a new configuration item and we have
> > > to see what the sane default for it should be.
> > 
> > I think we should follow upstream and keep live_dangerously activated
> > We can add a note to the advisory what setting must be tweaked.
> 
> Attached are debdiffs for oldstable and stable uploads. I couldn't find
> CVE entries.

Please adjust the distribution lines to oldstable-security and stable-security
and upload to security-master.

Have you been able to test these on a live system? 

Cheers,
        Moritz



Reply sent to Tzafrir Cohen <tzafrir@debian.org>:
You have taken responsibility. (Mon, 06 Jan 2014 22:51:21 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 06 Jan 2014 22:51:21 GMT) Full text and rfc822 format available.

Message #40 received at 732355-close@bugs.debian.org (full text, mbox):

From: Tzafrir Cohen <tzafrir@debian.org>
To: 732355-close@bugs.debian.org
Subject: Bug#732355: fixed in asterisk 1:1.6.2.9-2+squeeze12
Date: Mon, 06 Jan 2014 22:48:19 +0000
Source: asterisk
Source-Version: 1:1.6.2.9-2+squeeze12

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 732355@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 Dec 2013 21:00:49 +0200
Source: asterisk
Binary: asterisk asterisk-h323 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.6.2.9-2+squeeze12
Distribution: oldstable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-h323 - H.323 protocol support for Asterisk
 asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 732355
Changes: 
 asterisk (1:1.6.2.9-2+squeeze12) oldstable-security; urgency=high
 .
   * Backport of fixes in Asterisk 1.8.24.1 (Closes: #732355):
     - Patch AST-2013-006: fixes a buffer overflow in app_sms.
     - Patch AST-2013-007: guards access to code execution from remote interfaces
       - but patch out the change in asterisk.conf.
       - Patch ASTERISK-20658: fixes potential crash with asterisk-realtime
Checksums-Sha1: 
 8ee382fed1cb37b8ea7928b993d07a8d15296620 2232 asterisk_1.6.2.9-2+squeeze12.dsc
 6434887361e0401195f0fa40c32d0473bc1c233f 126157 asterisk_1.6.2.9-2+squeeze12.debian.tar.gz
 9da2d80c33f88454caea4b295272a6e00e880c30 1710116 asterisk-doc_1.6.2.9-2+squeeze12_all.deb
 03528d954d0e3b208401c14629eb00b126ab9537 635836 asterisk-dev_1.6.2.9-2+squeeze12_all.deb
 47befe1463110825dd8285f06a6b04e7d647f705 2186694 asterisk-sounds-main_1.6.2.9-2+squeeze12_all.deb
 812114f2e71c469b8d63541236b9c79219e9b1a0 715904 asterisk-config_1.6.2.9-2+squeeze12_all.deb
 4043f9791edb0959afa778787837607dd05ac781 3605320 asterisk_1.6.2.9-2+squeeze12_amd64.deb
 1359e09427e018df82bfca6ec0805ac0b1decd19 534222 asterisk-h323_1.6.2.9-2+squeeze12_amd64.deb
 2978f1e3ca36dc9191df783156f352fe157bf20f 20353908 asterisk-dbg_1.6.2.9-2+squeeze12_amd64.deb
Checksums-Sha256: 
 d1a648da5c251cd7e0413cdf6b68956cb03b9ca846a47a003451029f1dc431ce 2232 asterisk_1.6.2.9-2+squeeze12.dsc
 45114ccef8dc88a153fef8d6641bf4b6da2c41b197dddbfa2aa1e0978d79f121 126157 asterisk_1.6.2.9-2+squeeze12.debian.tar.gz
 d1718b9e017811b5ea0eb2fc451ed94488e713e619e52219c277f25a88838cd4 1710116 asterisk-doc_1.6.2.9-2+squeeze12_all.deb
 bfe9c6cfc485dbb1b02a17580ca66cf52b656c807a785309bcbeae1fa562361b 635836 asterisk-dev_1.6.2.9-2+squeeze12_all.deb
 cf0fb13bd74cb6fb560769cd23c7c743374922241829280abb1ac3640353848d 2186694 asterisk-sounds-main_1.6.2.9-2+squeeze12_all.deb
 b7d940509e22b122617545d1a046dee8b9004def0392ad97587a4159c871abf5 715904 asterisk-config_1.6.2.9-2+squeeze12_all.deb
 e42bd6958763171edbb9a5853a6fb560f351f78c1884512bc71ab9df5d3e120d 3605320 asterisk_1.6.2.9-2+squeeze12_amd64.deb
 8cfba4a33452f06d5a8f8ea3f42d63d129d0ab0de204b9e0199812fd1aed6cc5 534222 asterisk-h323_1.6.2.9-2+squeeze12_amd64.deb
 0be82df569704f4422e6b76f9b7b66ac172dad6ddd3d11e646e42da20425a730 20353908 asterisk-dbg_1.6.2.9-2+squeeze12_amd64.deb
Files: 
 efe6bb122ed0fe02b83f155423b39f2d 2232 comm optional asterisk_1.6.2.9-2+squeeze12.dsc
 36bd1c31bfcbca75c10714b73b5679c1 126157 comm optional asterisk_1.6.2.9-2+squeeze12.debian.tar.gz
 247cbecd900ff06fa809a7f994fcb549 1710116 doc extra asterisk-doc_1.6.2.9-2+squeeze12_all.deb
 457eedf6fcdab96af557a6aa525625ab 635836 devel extra asterisk-dev_1.6.2.9-2+squeeze12_all.deb
 b7f974a71b86eee269bb053e70e3c119 2186694 comm optional asterisk-sounds-main_1.6.2.9-2+squeeze12_all.deb
 5698f38424692281e84d1d369887216b 715904 comm optional asterisk-config_1.6.2.9-2+squeeze12_all.deb
 94f57ee01ea11a71b81558094eeb2f34 3605320 comm optional asterisk_1.6.2.9-2+squeeze12_amd64.deb
 b94883171a418aebb02a63d25b3c2c37 534222 comm optional asterisk-h323_1.6.2.9-2+squeeze12_amd64.deb
 888071aef565d3a0d42efa5802526b62 20353908 debug extra asterisk-dbg_1.6.2.9-2+squeeze12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlK1ZQEACgkQxArWdkN9Mov06gCgoCfKbVCXMQkUOphzV4tndqkr
Ui0Anj/JZoLoYmyggvW0HGGwxTIfQnOo
=VLG1
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Mar 2014 07:31:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:11:12 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.