Resolved Bugs
1107891 – CVE-2014-3248 facter: puppet: Ruby modules could be loaded from the current working directory [fedora-19]<br
1107891 – Enabled accidentally removed patch for CVE-2014-3248
Category Archives: Fedora
Fedora – Security Updates
Fedora 19 Security Update: teeworlds-0.6.3-1.fc19
Fedora 19 Security Update: asterisk-11.14.1-1.fc19
Resolved Bugs
1166692 – asterisk: AMI permission escalation through DB dialplan function [AST-2014-018] [fedora-all]
1166690 – asterisk: Permission escalation through ConfBridge actions/dialplan functions [AST-2014-017] [fedora-all]
1166684 – asterisk: High call load may result in hung channels in ConfBridge [AST-2014-014] [fedora-all]
1166676 – asterisk: Mixed IP address families in access control lists may permit unwanted traffic [AST-2014-012] [fedora-all]<br
* Fri Nov 21 2014 Jeffrey C. Ollie – 11.14.1-1
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
– security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
– 11.14.1, 12.7.1, and 13.0.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolves the following security vulnerabilities:
–
– * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
– address families
–
– Many modules in Asterisk that service incoming IP traffic have ACL options
– (“permit” and “deny”) that can be used to whitelist or blacklist address
– ranges. A bug has been discovered where the address family of incoming
– packets is only compared to the IP address family of the first entry in the
– list of access control rules. If the source IP address for an incoming
– packet is not of the same address as the first ACL entry, that packet
– bypasses all ACL rules.
–
– * AST-2014-018: Permission Escalation through DB dialplan function
–
– The DB dialplan function when executed from an external protocol, such as AMI,
– could result in a privilege escalation. Users with a lower class authorization
– in AMI can access the internal Asterisk database without the required SYSTEM
– class authorization.
–
– In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
– security vulnerability:
–
– * AST-2014-014: High call load with ConfBridge can result in resource exhaustion
–
– The ConfBridge application uses an internal bridging API to implement
– conference bridges. This internal API uses a state model for channels within
– the conference bridge and transitions between states as different things
– occur. Unload load it is possible for some state transitions to be delayed
– causing the channel to transition from being hung up to waiting for media. As
– the channel has been hung up remotely no further media will arrive and the
– channel will stay within ConfBridge indefinitely.
–
– In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
– the following security vulnerability:
–
– * AST-2014-017: Permission Escalation via ConfBridge dialplan function and
– AMI ConfbridgeStartRecord Action
–
– The CONFBRIDGE dialplan function when executed from an external protocol (such
– as AMI) can result in a privilege escalation as certain options within that
– function can affect the underlying system. Additionally, the AMI
– ConfbridgeStartRecord action has options that would allow modification of the
– underlying system, and does not require SYSTEM class authorization in AMI.
–
– Finally, the release of 12.7.1 and 13.0.1 resolves the following security
– vulnerabilities:
–
– * AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack
–
– The Asterisk module res_pjsip provides the ability to configure ACLs that may
– be used to reject SIP requests from various hosts. However, the module
– currently fails to create and apply the ACLs defined in its configuration
– file on initial module load.
–
– * AST-2014-015: Remote crash vulnerability in PJSIP channel driver
–
– The chan_pjsip channel driver uses a queue approach for relating to SIP
– sessions. There exists a race condition where actions may be queued to answer
– a session or send ringing after a SIP session has been terminated using a
– CANCEL request. The code will incorrectly assume that the SIP session is still
– active and attempt to send the SIP response. The PJSIP library does not
– expect the SIP session to be in the disconnected state when sending the
– response and asserts.
–
– * AST-2014-016: Remote crash vulnerability in PJSIP channel driver
–
– When handling an INVITE with Replaces message the res_pjsip_refer module
– incorrectly assumes that it will be operating on a channel that has just been
– created. If the INVITE with Replaces message is sent in-dialog after a session
– has been established this assumption will be incorrect. The res_pjsip_refer
– module will then hang up a channel that is actually owned by another thread.
– When this other thread attempts to use the just hung up channel it will end up
– using a freed channel which will likely result in a crash.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
– AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
– time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
* Fri Nov 21 2014 Jeffrey C. Ollie – 11.14.0-1
– The Asterisk Development Team has announced the release of Asterisk 11.14.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.14.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following are the issues resolved in this release:
–
– Bugs fixed in this release:
– ———————————–
– * ASTERISK-24348 – Built-in editline tab complete segfault with
– MALLOC_DEBUG (Reported by Walter Doekes)
– * ASTERISK-24335 – [PATCH] Asterisk incorrectly responds 503 to
– INVITE retransmissions of rejected calls (Reported by Torrey
– Searle)
– * ASTERISK-23768 – [patch] Asterisk man page contains a (new)
Рunquoted minus sign (Reported by Jeremy Lain̩)
– * ASTERISK-24357 – [fax] Out of bounds error in update_modem_bits
Р(Reported by Jeremy Lain̩)
– * ASTERISK-20567 – bashism in autosupport (Reported by Tzafrir
– Cohen)
– * ASTERISK-22945 – [patch] Memory leaks in chan_sip.c with
– realtime peers (Reported by ibercom)
– * ASTERISK-24384 – chan_motif: format capabilities leak on module
– load error (Reported by Corey Farrell)
– * ASTERISK-24385 – chan_sip: process_sdp leaks on an error path
– (Reported by Corey Farrell)
– * ASTERISK-24378 – Release AMI connections on shutdown (Reported
– by Corey Farrell)
– * ASTERISK-24354 – AMI sendMessage closes AMI connection on error
– (Reported by Peter Katzmann)
– * ASTERISK-24390 – astobj2: REF_DEBUG reports false leaks with
– ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
– * ASTERISK-24326 – res_rtp_asterisk: ICE-TCP candidates are
– incorrectly attempted (Reported by Joshua Colp)
– * ASTERISK-24011 – [patch]safe_asterisk tries to set ulimit -n too
– high on linux systems with lots of RAM (Reported by Michael
– Myles)
– * ASTERISK-24383 – res_rtp_asterisk: Crash if no candidates
– received for component (Reported by Kevin Harwell)
– * ASTERISK-20784 – Failure to receive an ACK to a SIP Re-INVITE
– results in a SIP channel leak (Reported by NITESH BANSAL)
– * ASTERISK-15879 – [patch] Failure to receive an ACK to a SIP
– Re-INVITE results in a SIP channel leak (Reported by Torrey
– Searle)
– * ASTERISK-24406 – Some caller ID strings are parsed differently
– since 11.13.0 (Reported by Etienne Lessard)
– * ASTERISK-24325 – res_calendar_ews: cannot be used with neon 0.30
– (Reported by Tzafrir Cohen)
– * ASTERISK-13797 – [patch] relax badshell tilde test (Reported by
– Tzafrir Cohen)
– * ASTERISK-22791 – asterisk sends Re-INVITE after receiving a BYE
– (Reported by Paolo Compagnini)
– * ASTERISK-18923 – res_fax_spandsp usage counter is wrong
– (Reported by Grigoriy Puzankin)
– * ASTERISK-24392 – res_fax: fax gateway sessions leak (Reported by
– Corey Farrell)
– * ASTERISK-24393 – rtptimeout=0 doesn’t disable rtptimeout
– (Reported by Dmitry Melekhov)
– * ASTERISK-23846 – Unistim multilines. Loss of voice after second
– call drops (on a second line). (Reported by Rustam Khankishyiev)
– * ASTERISK-24063 – [patch]Asterisk does not respect outbound proxy
– when sending qualify requests (Reported by Damian Ivereigh)
– * ASTERISK-24425 – [patch] jabber/xmpp to use TLS instead of
– SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
– abelbeck)
– * ASTERISK-24436 – Missing header in res/res_srtp.c when compiling
– against libsrtp-1.5.0 (Reported by Patrick Laimbock)
– * ASTERISK-24454 – app_queue: ao2_iterator not destroyed, causing
– leak (Reported by Corey Farrell)
– * ASTERISK-24430 – missing letter “p” in word response in
– OriginateResponse event documentation (Reported by Dafi Ni)
– * ASTERISK-24457 – res_fax: fax gateway frames leak (Reported by
– Corey Farrell)
– * ASTERISK-21721 – SIP Failed to parse multiple Supported: headers
– (Reported by Olle Johansson)
– * ASTERISK-24304 – asterisk crashing randomly because of unistim
– channel (Reported by dhanapathy sathya)
– * ASTERISK-24190 – IMAP voicemail causes segfault (Reported by
– Nick Adams)
– * ASTERISK-24466 – app_queue: fix a couple leaks to struct
– call_queue (Reported by Corey Farrell)
– * ASTERISK-24432 – Install refcounter.py when REF_DEBUG is enabled
– (Reported by Corey Farrell)
– * ASTERISK-24476 – main/app.c / app_voicemail: ast_writestream
– leaks (Reported by Corey Farrell)
– * ASTERISK-24307 – Unintentional memory retention in stringfields
– (Reported by Etienne Lessard)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0
Fedora 19 Security Update: kernel-3.14.25-100.fc19
Resolved Bugs
1163762 – CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace
1163767 – CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace [fedora-all]
1163087 – CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet
1163095 – CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet [fedora-all]
1161565 – CVE-2014-7825 CVE-2014-7826 kernel: insufficient syscall number validation in perf and ftrace subsystems
1161572 – CVE-2014-7826 CVE-2014-7825 kernel: insufficient syscall number validation in perf and ftrace subsystems [fedora-all]<br
The 3.14.25 stable update contains a number of important fixes across the tree.
The 3.14.24 stable update contains a number of important fixes across the tree.
Fedora 20 Security Update: asterisk-11.14.1-1.fc20
Resolved Bugs
1166692 – asterisk: AMI permission escalation through DB dialplan function [AST-2014-018] [fedora-all]
1166690 – asterisk: Permission escalation through ConfBridge actions/dialplan functions [AST-2014-017] [fedora-all]
1166684 – asterisk: High call load may result in hung channels in ConfBridge [AST-2014-014] [fedora-all]
1166676 – asterisk: Mixed IP address families in access control lists may permit unwanted traffic [AST-2014-012] [fedora-all]<br
* Fri Nov 21 2014 Jeffrey C. Ollie – 11.14.1-1
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
– security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
– 11.14.1, 12.7.1, and 13.0.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolves the following security vulnerabilities:
–
– * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
– address families
–
– Many modules in Asterisk that service incoming IP traffic have ACL options
– (“permit” and “deny”) that can be used to whitelist or blacklist address
– ranges. A bug has been discovered where the address family of incoming
– packets is only compared to the IP address family of the first entry in the
– list of access control rules. If the source IP address for an incoming
– packet is not of the same address as the first ACL entry, that packet
– bypasses all ACL rules.
–
– * AST-2014-018: Permission Escalation through DB dialplan function
–
– The DB dialplan function when executed from an external protocol, such as AMI,
– could result in a privilege escalation. Users with a lower class authorization
– in AMI can access the internal Asterisk database without the required SYSTEM
– class authorization.
–
– In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
– security vulnerability:
–
– * AST-2014-014: High call load with ConfBridge can result in resource exhaustion
–
– The ConfBridge application uses an internal bridging API to implement
– conference bridges. This internal API uses a state model for channels within
– the conference bridge and transitions between states as different things
– occur. Unload load it is possible for some state transitions to be delayed
– causing the channel to transition from being hung up to waiting for media. As
– the channel has been hung up remotely no further media will arrive and the
– channel will stay within ConfBridge indefinitely.
–
– In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
– the following security vulnerability:
–
– * AST-2014-017: Permission Escalation via ConfBridge dialplan function and
– AMI ConfbridgeStartRecord Action
–
– The CONFBRIDGE dialplan function when executed from an external protocol (such
– as AMI) can result in a privilege escalation as certain options within that
– function can affect the underlying system. Additionally, the AMI
– ConfbridgeStartRecord action has options that would allow modification of the
– underlying system, and does not require SYSTEM class authorization in AMI.
–
– Finally, the release of 12.7.1 and 13.0.1 resolves the following security
– vulnerabilities:
–
– * AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack
–
– The Asterisk module res_pjsip provides the ability to configure ACLs that may
– be used to reject SIP requests from various hosts. However, the module
– currently fails to create and apply the ACLs defined in its configuration
– file on initial module load.
–
– * AST-2014-015: Remote crash vulnerability in PJSIP channel driver
–
– The chan_pjsip channel driver uses a queue approach for relating to SIP
– sessions. There exists a race condition where actions may be queued to answer
– a session or send ringing after a SIP session has been terminated using a
– CANCEL request. The code will incorrectly assume that the SIP session is still
– active and attempt to send the SIP response. The PJSIP library does not
– expect the SIP session to be in the disconnected state when sending the
– response and asserts.
–
– * AST-2014-016: Remote crash vulnerability in PJSIP channel driver
–
– When handling an INVITE with Replaces message the res_pjsip_refer module
– incorrectly assumes that it will be operating on a channel that has just been
– created. If the INVITE with Replaces message is sent in-dialog after a session
– has been established this assumption will be incorrect. The res_pjsip_refer
– module will then hang up a channel that is actually owned by another thread.
– When this other thread attempts to use the just hung up channel it will end up
– using a freed channel which will likely result in a crash.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
– AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
– time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
* Fri Nov 21 2014 Jeffrey C. Ollie – 11.14.0-1
– The Asterisk Development Team has announced the release of Asterisk 11.14.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 11.14.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following are the issues resolved in this release:
–
– Bugs fixed in this release:
– ———————————–
– * ASTERISK-24348 – Built-in editline tab complete segfault with
– MALLOC_DEBUG (Reported by Walter Doekes)
– * ASTERISK-24335 – [PATCH] Asterisk incorrectly responds 503 to
– INVITE retransmissions of rejected calls (Reported by Torrey
– Searle)
– * ASTERISK-23768 – [patch] Asterisk man page contains a (new)
Рunquoted minus sign (Reported by Jeremy Lain̩)
– * ASTERISK-24357 – [fax] Out of bounds error in update_modem_bits
Р(Reported by Jeremy Lain̩)
– * ASTERISK-20567 – bashism in autosupport (Reported by Tzafrir
– Cohen)
– * ASTERISK-22945 – [patch] Memory leaks in chan_sip.c with
– realtime peers (Reported by ibercom)
– * ASTERISK-24384 – chan_motif: format capabilities leak on module
– load error (Reported by Corey Farrell)
– * ASTERISK-24385 – chan_sip: process_sdp leaks on an error path
– (Reported by Corey Farrell)
– * ASTERISK-24378 – Release AMI connections on shutdown (Reported
– by Corey Farrell)
– * ASTERISK-24354 – AMI sendMessage closes AMI connection on error
– (Reported by Peter Katzmann)
– * ASTERISK-24390 – astobj2: REF_DEBUG reports false leaks with
– ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
– * ASTERISK-24326 – res_rtp_asterisk: ICE-TCP candidates are
– incorrectly attempted (Reported by Joshua Colp)
– * ASTERISK-24011 – [patch]safe_asterisk tries to set ulimit -n too
– high on linux systems with lots of RAM (Reported by Michael
– Myles)
– * ASTERISK-24383 – res_rtp_asterisk: Crash if no candidates
– received for component (Reported by Kevin Harwell)
– * ASTERISK-20784 – Failure to receive an ACK to a SIP Re-INVITE
– results in a SIP channel leak (Reported by NITESH BANSAL)
– * ASTERISK-15879 – [patch] Failure to receive an ACK to a SIP
– Re-INVITE results in a SIP channel leak (Reported by Torrey
– Searle)
– * ASTERISK-24406 – Some caller ID strings are parsed differently
– since 11.13.0 (Reported by Etienne Lessard)
– * ASTERISK-24325 – res_calendar_ews: cannot be used with neon 0.30
– (Reported by Tzafrir Cohen)
– * ASTERISK-13797 – [patch] relax badshell tilde test (Reported by
– Tzafrir Cohen)
– * ASTERISK-22791 – asterisk sends Re-INVITE after receiving a BYE
– (Reported by Paolo Compagnini)
– * ASTERISK-18923 – res_fax_spandsp usage counter is wrong
– (Reported by Grigoriy Puzankin)
– * ASTERISK-24392 – res_fax: fax gateway sessions leak (Reported by
– Corey Farrell)
– * ASTERISK-24393 – rtptimeout=0 doesn’t disable rtptimeout
– (Reported by Dmitry Melekhov)
– * ASTERISK-23846 – Unistim multilines. Loss of voice after second
– call drops (on a second line). (Reported by Rustam Khankishyiev)
– * ASTERISK-24063 – [patch]Asterisk does not respect outbound proxy
– when sending qualify requests (Reported by Damian Ivereigh)
– * ASTERISK-24425 – [patch] jabber/xmpp to use TLS instead of
– SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
– abelbeck)
– * ASTERISK-24436 – Missing header in res/res_srtp.c when compiling
– against libsrtp-1.5.0 (Reported by Patrick Laimbock)
– * ASTERISK-24454 – app_queue: ao2_iterator not destroyed, causing
– leak (Reported by Corey Farrell)
– * ASTERISK-24430 – missing letter “p” in word response in
– OriginateResponse event documentation (Reported by Dafi Ni)
– * ASTERISK-24457 – res_fax: fax gateway frames leak (Reported by
– Corey Farrell)
– * ASTERISK-21721 – SIP Failed to parse multiple Supported: headers
– (Reported by Olle Johansson)
– * ASTERISK-24304 – asterisk crashing randomly because of unistim
– channel (Reported by dhanapathy sathya)
– * ASTERISK-24190 – IMAP voicemail causes segfault (Reported by
– Nick Adams)
– * ASTERISK-24466 – app_queue: fix a couple leaks to struct
– call_queue (Reported by Corey Farrell)
– * ASTERISK-24432 – Install refcounter.py when REF_DEBUG is enabled
– (Reported by Corey Farrell)
– * ASTERISK-24476 – main/app.c / app_voicemail: ast_writestream
– leaks (Reported by Corey Farrell)
– * ASTERISK-24307 – Unintentional memory retention in stringfields
– (Reported by Etienne Lessard)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0
Fedora 20 Security Update: curl-7.32.0-16.fc20
Resolved Bugs
1153814 – yum cannot access repositories using TLS 1.2
1166567 – curl: Disable out-of-protocol fallback to SSL 3.0
1166239 – Please include “low-speed-limit: avoid timeout flood” patch into fedora curl package
1154941 – CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS<br
– allow to use TLS 1.1 and TLS 1.2 (#1153814)
– disable libcurl-level downgrade to SSLv3 (#1166567)
– low-speed-limit: avoid timeout flood (#1166239)
– fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)
Fedora 20 Security Update: teeworlds-0.6.3-1.fc20
Fedora 21 Security Update: teeworlds-0.6.3-1.fc21
Fedora EPEL 7 Security Update: phpMyAdmin-4.2.12-1.el7
Resolved Bugs
1166397 – phpMyAdmin-4.2.12 is available
1166619 – CVE-2014-8958 phpMyAdmin: Multiple XSS vulnerabilities (PMASA-2014-13)
1166624 – CVE-2014-8958 phpMyAdmin: Multiple XSS vulnerabilities (PMASA-2014-13) [epel-7]
1166626 – CVE-2014-8959 phpMyAdmin: Local file inclusion vulnerability (PMASA-2014-14)
1166630 – CVE-2014-8959 phpMyAdmin: Local file inclusion vulnerability (PMASA-2014-14) [epel-7]
1166634 – CVE-2014-8960 phpMyAdmin: XSS vulnerability in error reporting functionality (PMASA-2014-15)
1166636 – CVE-2014-8960 phpMyAdmin: XSS vulnerability in error reporting functionality (PMASA-2014-15) [epel-7]
1166637 – CVE-2014-8961 phpMyAdmin: leakage of line count of an arbitrary file (PMASA-2014-16)
1166639 – CVE-2014-8961 phpMyAdmin: leakage of line count of an arbitrary file (PMASA-2014-16) [epel-7]<br
phpMyAdmin 4.2.12.0 (2014-11-20)
================================
– Blank/white page when JavaScript disabled
– Multi row actions cause full page reloads
– ReferenceError: targeurl is not defined
– Incorrect text/icon display in Tracking report
– Recordset return from procedure display nothing
– Edit dialog for routines is too long for smaller displays
– JavaScript error after moving a column
– Issue with long comments on table columns
– Input field unnecessarily selected on focus
– Exporting selected rows exports all rows of the query
– No insert statement produced in SQL export for queries with alias
– Field disabled when internal relations used
– [security] XSS through exception stack
– [security] Path traversal can lead to leakage of line count
– [security] XSS vulnerability in table print view
– [security] XSS vulnerability in zoom search page
– [security] Path traversal in file inclusion of GIS factory
– [security] XSS in multi submit
– [security] XSS through pma_fontsize cookie
Fedora EPEL 6 Security Update: asterisk-1.8.32.1-1.el6
Resolved Bugs
1044204 – Asterisk needs to be updated to pick up fixes to multiple security vulnerabilities
1166693 – asterisk: AMI permission escalation through DB dialplan function [AST-2014-018] [epel-6]
1154895 – asterisk vulnerable to CVE-2014-3566/POODLE (AST-2014-011)
1109286 – CVE-2014-4047 asterisk: DoS due to Exhaustion of Allowed Concurrent HTTP Connections (AST-2014-007) [epel-6]<br
* Fri Nov 21 2014 Jeffrey C. Ollie – 1.8.32.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
– security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1,
– 11.14.1, 12.7.1, and 13.0.1.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolves the following security vulnerabilities:
–
– * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP
– address families
–
– Many modules in Asterisk that service incoming IP traffic have ACL options
– (“permit” and “deny”) that can be used to whitelist or blacklist address
– ranges. A bug has been discovered where the address family of incoming
– packets is only compared to the IP address family of the first entry in the
– list of access control rules. If the source IP address for an incoming
– packet is not of the same address as the first ACL entry, that packet
– bypasses all ACL rules.
–
– * AST-2014-018: Permission Escalation through DB dialplan function
–
– The DB dialplan function when executed from an external protocol, such as AMI,
– could result in a privilege escalation. Users with a lower class authorization
– in AMI can access the internal Asterisk database without the required SYSTEM
– class authorization.
–
– In addition, the release of 11.6-cert8 and 11.14.1 resolves the following
– security vulnerability:
–
– * AST-2014-014: High call load with ConfBridge can result in resource exhaustion
–
– The ConfBridge application uses an internal bridging API to implement
– conference bridges. This internal API uses a state model for channels within
– the conference bridge and transitions between states as different things
– occur. Unload load it is possible for some state transitions to be delayed
– causing the channel to transition from being hung up to waiting for media. As
– the channel has been hung up remotely no further media will arrive and the
– channel will stay within ConfBridge indefinitely.
–
– In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves
– the following security vulnerability:
–
– * AST-2014-017: Permission Escalation via ConfBridge dialplan function and
– AMI ConfbridgeStartRecord Action
–
– The CONFBRIDGE dialplan function when executed from an external protocol (such
– as AMI) can result in a privilege escalation as certain options within that
– function can affect the underlying system. Additionally, the AMI
– ConfbridgeStartRecord action has options that would allow modification of the
– underlying system, and does not require SYSTEM class authorization in AMI.
–
– Finally, the release of 12.7.1 and 13.0.1 resolves the following security
– vulnerabilities:
–
– * AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack
–
– The Asterisk module res_pjsip provides the ability to configure ACLs that may
– be used to reject SIP requests from various hosts. However, the module
– currently fails to create and apply the ACLs defined in its configuration
– file on initial module load.
–
– * AST-2014-015: Remote crash vulnerability in PJSIP channel driver
–
– The chan_pjsip channel driver uses a queue approach for relating to SIP
– sessions. There exists a race condition where actions may be queued to answer
– a session or send ringing after a SIP session has been terminated using a
– CANCEL request. The code will incorrectly assume that the SIP session is still
– active and attempt to send the SIP response. The PJSIP library does not
– expect the SIP session to be in the disconnected state when sending the
– response and asserts.
–
– * AST-2014-016: Remote crash vulnerability in PJSIP channel driver
–
– When handling an INVITE with Replaces message the res_pjsip_refer module
– incorrectly assumes that it will be operating on a channel that has just been
– created. If the INVITE with Replaces message is sent in-dialog after a session
– has been established this assumption will be incorrect. The res_pjsip_refer
– module will then hang up a channel that is actually owned by another thread.
– When this other thread attempts to use the just hung up channel it will end up
– using a freed channel which will likely result in a crash.
–
– For more information about the details of these vulnerabilities, please read
– security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015,
– AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same
– time as this announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1
–
– The security advisories are available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf
– * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf
* Fri Nov 21 2014 Jeffrey C. Ollie – 1.8.32.0-1:
– The Asterisk Development Team has announced the release of Asterisk 1.8.32.0.
– This release is available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk
–
– The release of Asterisk 1.8.32.0 resolves several issues reported by the
– community and would have not been possible without your participation.
– Thank you!
–
– The following are the issues resolved in this release:
–
– Bugs fixed in this release:
– ———————————–
– * ASTERISK-24348 – Built-in editline tab complete segfault with
– MALLOC_DEBUG (Reported by Walter Doekes)
– * ASTERISK-24335 – [PATCH] Asterisk incorrectly responds 503 to
– INVITE retransmissions of rejected calls (Reported by Torrey
– Searle)
– * ASTERISK-23768 – [patch] Asterisk man page contains a (new)
Рunquoted minus sign (Reported by Jeremy Lain̩)
– * ASTERISK-24357 – [fax] Out of bounds error in update_modem_bits
Р(Reported by Jeremy Lain̩)
– * ASTERISK-22945 – [patch] Memory leaks in chan_sip.c with
– realtime peers (Reported by ibercom)
– * ASTERISK-24390 – astobj2: REF_DEBUG reports false leaks with
– ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell)
– * ASTERISK-24011 – [patch]safe_asterisk tries to set ulimit -n too
– high on linux systems with lots of RAM (Reported by Michael
– Myles)
– * ASTERISK-20784 – Failure to receive an ACK to a SIP Re-INVITE
– results in a SIP channel leak (Reported by NITESH BANSAL)
– * ASTERISK-15879 – [patch] Failure to receive an ACK to a SIP
– Re-INVITE results in a SIP channel leak (Reported by Torrey
– Searle)
– * ASTERISK-24406 – Some caller ID strings are parsed differently
– since 11.13.0 (Reported by Etienne Lessard)
– * ASTERISK-24325 – res_calendar_ews: cannot be used with neon 0.30
– (Reported by Tzafrir Cohen)
– * ASTERISK-13797 – [patch] relax badshell tilde test (Reported by
– Tzafrir Cohen)
– * ASTERISK-22791 – asterisk sends Re-INVITE after receiving a BYE
– (Reported by Paolo Compagnini)
– * ASTERISK-18923 – res_fax_spandsp usage counter is wrong
– (Reported by Grigoriy Puzankin)
– * ASTERISK-24393 – rtptimeout=0 doesn’t disable rtptimeout
– (Reported by Dmitry Melekhov)
– * ASTERISK-24063 – [patch]Asterisk does not respect outbound proxy
– when sending qualify requests (Reported by Damian Ivereigh)
– * ASTERISK-24425 – [patch] jabber/xmpp to use TLS instead of
– SSLv3, security fix POODLE (CVE-2014-3566) (Reported by
– abelbeck)
– * ASTERISK-24436 – Missing header in res/res_srtp.c when compiling
– against libsrtp-1.5.0 (Reported by Patrick Laimbock)
– * ASTERISK-21721 – SIP Failed to parse multiple Supported: headers
– (Reported by Olle Johansson)
– * ASTERISK-24190 – IMAP voicemail causes segfault (Reported by
– Nick Adams)
– * ASTERISK-24432 – Install refcounter.py when REF_DEBUG is enabled
– (Reported by Corey Farrell)
– * ASTERISK-24476 – main/app.c / app_voicemail: ast_writestream
– leaks (Reported by Corey Farrell)
– * ASTERISK-24307 – Unintentional memory retention in stringfields
– (Reported by Etienne Lessard)
–
– For a full list of changes in this release, please see the ChangeLog:
–
– http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-1.8.32.0
* Tue Oct 21 2014 Jeffrey C. Ollie – 1.8.31.1-1:
– The Asterisk Development Team has announced security releases for Certified
– Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
– security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1,
– 11.13.1, 12.6.1, and 13.0.0-beta3.
–
– These releases are available for immediate download at
– http://downloads.asterisk.org/pub/telephony/asterisk/releases
–
– The release of these versions resolves the following security vulnerability:
–
– * AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability
–
– Asterisk is susceptible to the POODLE vulnerability in two ways:
– 1) The res_jabber and res_xmpp module both use SSLv3 exclusively for their
– encrypted connections.
– 2) The core TLS handling in Asterisk, which is used by the chan_sip channel
– driver, Asterisk Manager Interface (AMI), and Asterisk HTTP Server, by
– default allow a TLS connection to fallback to SSLv3. This allows for a
– MITM to potentially force a connection to fallback to SSLv3, exposing it
– to the POODLE vulnerability.
–
– These issues have been resolved in the versions released in conjunction with
– this security advisory.
–
– For more information about the details of this vulnerability, please read
– security advisory AST-2014-011, which was released at the same time as this
– announcement.
–
– For a full list of changes in the current releases, please see the ChangeLogs:
–
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert2
– http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert7
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.31.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.13.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.6.1
– http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.0-beta3
–
– The security advisory is available at:
–
– * http://downloads.asterisk.org/pub/security/AST-2014-011.pdf