Asterisk: Multiple vulnerabilities — GLSA 201209-15

Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code.

Affected packages

net-misc/asterisk on all architectures
Affected versions < 1.8.15.1
Unaffected versions >= 1.8.15.1

Background

Asterisk is an open source telephony engine and toolkit.

Description

Multiple vulnerabilities have been found in Asterisk:

  • An error in manager.c allows shell access (CVE-2012-2186).
  • An error in Asterisk could cause all RTP ports to be exhausted (CVE-2012-3812).
  • A double-free error could occur when two parties attempt to manipulate the same voicemail account simultaneously (CVE-2012-3863).
  • Asterisk does not properly implement certain ACL rules (CVE-2012-4737).

Impact

A remote, authenticated attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass outbound call restrictions.

Workaround

There is no known workaround at this time.

Resolution

All Asterisk users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.15.1"
 

References

Release date
September 26, 2012

Latest revision
September 26, 2012: 1

Severity
normal

Exploitable
remote

Bugzilla entries