Advisories ยป MGASA-2014-0172

Updated asterisk packages fix security vulnerabilities

Publication date: 15 Apr 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-2286 , CVE-2014-2287


Updated asterisk packages fix security vulnerabilities:

In Asterisk before 11.8.1, sending a HTTP request that is handled by Asterisk
with a large number of Cookie headers could overflow the stack. You could
even exhaust memory if you sent an unlimited number of headers in the request

In Asterisk before 11.8.1, an attacker can use all available file descriptors
using SIP INVITE requests. Each INVITE meeting certain conditions will leak a
channel and several file descriptors. The file descriptors cannot be released
without restarting Asterisk which may allow intrusion detection systems to be
bypassed by sending the requests slowly (CVE-2014-2287).