An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contactx01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
Monthly Archives: December 2016
CVE-2013-3111: MSIE 9 IEFRAME CSelectionInteractButtonBehavior::_UpdateButtonLocation use-after-free
Posted by Berend-Jan Wever on Dec 12
Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the thirtieth entry
in the series. This information is available in more detail on my blog
at http://blog.skylined.nl/20161212001.html. There you can find a repro
that triggered this issue in addition to the information below.
If you find these releases useful, and would like to help me make time
to continue releasing this kind of…
APPLE-SA-2016-12-12-1 iOS 10.2
Posted by Apple Product Security on Dec 12
APPLE-SA-2016-12-12-1 iOS 10.2
iOS 10.2 is now available and addresses the following:
Accessibility
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: A nearby user may be able to overhear spoken passwords
Description: A disclosure issue existed in the handling of passwords.
This issue was addressed by disabling the speaking of passwords.
CVE-2016-7634: Davut Hari
Accessibility…
APPLE-SA-2016-12-12-2 watchOS 3.1.1
Posted by Apple Product Security on Dec 12
APPLE-SA-2016-12-12-2 watchOS 3.1.1
watchOS 3.1.1 is now available and addresses the following:
Accounts
Available for: All Apple Watch models
Impact: An issue existed which did not reset the authorization
settings on app uninstall
Description: This issue was addressed through improved sanitization.
CVE-2016-7651: Ju Zhu and Lilang Wu of Trend Micro
Profiles
Available for: All Apple Watch models
Impact: Opening a maliciously crafted…
APPLE-SA-2016-12-12-3 tvOS 10.1
Posted by Apple Product Security on Dec 12
APPLE-SA-2016-12-12-3 tvOS 10.1
tvOS 10.1 is now available and addresses the following:
Profiles
Available for: Apple TV (4th generation)
Impact: Opening a maliciously crafted certificate may lead to
arbitrary code execution
Description: A memory corruption issue existed in the handling of
certificate profiles. This issue was addressed through improved input
validation.
CVE-2016-7626: Maksymilian Arciemowicz (cxsecurity.com)
Installation…
botan-1.10.14-3.fc25
### Botan 1.10.14 ###
* NOTE WELL: Botan 1.10.x is supported for security patches only until 2017-12-31
* Fix integer overflow during BER decoding, found by Falko Strenzke. This bug is not thought to be directly exploitable but upgrading ASAP is advised. (CVE-2016-9132)
* Fix two cases where (in error situations) an exception would be thrown from a destructor, causing a call to std::terminate.
* When RC4 is disabled in the build, also prevent it from being included in the OpenSSL provider. (GH #638)
botan-1.10.14-3.fc23
### Botan 1.10.14 ###
* NOTE WELL: Botan 1.10.x is supported for security patches only until 2017-12-31
* Fix integer overflow during BER decoding, found by Falko Strenzke. This bug is not thought to be directly exploitable but upgrading ASAP is advised. (CVE-2016-9132)
* Fix two cases where (in error situations) an exception would be thrown from a destructor, causing a call to std::terminate.
* When RC4 is disabled in the build, also prevent it from being included in the OpenSSL provider. (GH #638)
botan-1.10.14-3.fc24
### Botan 1.10.14 ###
* NOTE WELL: Botan 1.10.x is supported for security patches only until 2017-12-31
* Fix integer overflow during BER decoding, found by Falko Strenzke. This bug is not thought to be directly exploitable but upgrading ASAP is advised. (CVE-2016-9132)
* Fix two cases where (in error situations) an exception would be thrown from a destructor, causing a call to std::terminate.
* When RC4 is disabled in the build, also prevent it from being included in the OpenSSL provider. (GH #638)
Apple Security Advisory 2016-12-12-1
Apple Security Advisory 2016-12-12-1 – iOS 10.2 is now available and addresses information disclosure, access bypass, and various other vulnerabilities.
Apple iOS/tvOS/watchOS Remote memory corruption through certificate file
Posted by [CXSEC] on Dec 12
Apple iOS/tvOS/watchOS Remote memory corruption through certificate file
Source: https://cxsecurity.com/issue/WLB-2016110046
————————————————————
————————–
0. Short description
Special crafted certificate file may lead to memory corruption of several
processes and the vector attack may be through Mobile Safari or Mail app.
Attacker may control the overflow through the certificate length in…