Updated asterisk packages fix CVE-2014-6610 and mitigate POODLE
Publication date: 26 Nov 2014Modification date: 26 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-6610
Description
Updated asterisk packages fix security vulnerabilities: In Asterisk Open Source 11.x before 11.12.1, when an out of call message, delivered by either the SIP or PJSIP channel driver or the XMPP stack, is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module (CVE-2014-6610). In Asterisk Open Source 11.x before 11.13.1, the res_jabber and res_xmpp module both use SSLv3 exclusively, and are hence susceptible to CVE-2014-3566, a.k.a. POODLE. Also, the core TLS handling, used by the chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM to potentially force a connection to fallback to SSLv3, exposing it to the POODLE vulnerability. Asterisk has been updated to version 11.14.1, which fixes the CVE-2014-6610 issue, and in which it no longer uses SSLv3 for the res_jabber/res_xmpp modules. Additionally, when the encryption method is not specified, the default handling in the TLS core no longer allows for a fallback to SSLv3 or SSLv2. These changes mitigate the POODLE vulnerability. Other security issues fixed in 11.14.1 include: Mixed IP address families in access control lists may permit unwanted traffic (AST-2014-012) High call load may result in hung channels in ConfBridge (AST-2014-014). Permission escalation through ConfBridge actions/dialplan functions (AST-2014-017). The DB dialplan function when executed from an external protocol (for instance AMI), could result in a privilege escalation (AST-2014-018).
References
- https://bugs.mageia.org/show_bug.cgi?id=14466
- http://downloads.asterisk.org/pub/security/AST-2014-010.html
- http://downloads.asterisk.org/pub/security/AST-2014-011.html
- http://downloads.asterisk.org/pub/security/AST-2014-012.html
- http://downloads.asterisk.org/pub/security/AST-2014-014.html
- http://downloads.asterisk.org/pub/security/AST-2014-017.html
- http://downloads.asterisk.org/pub/security/AST-2014-018.html
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1
- http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11.14.1-summary.html
- http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014%3A218/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6610
SRPMS
3/core
- asterisk-11.14.1-1.mga3
4/core
- asterisk-11.14.1-1.mga4