Debian Bug report logs -
#576560
asterisk: CVE-2010-1224 incorrect parsing of ACL rules
Reported by: Nico Golde <nion@debian.org>
Date: Mon, 5 Apr 2010 16:33:01 UTC
Severity: important
Tags: patch, security
Found in version asterisk/1:1.6.1.0~dfsg~rc3-1
Fixed in version asterisk/1:1.6.2.6-1
Done: Tzafrir Cohen <tzafrir@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#576560; Package asterisk.
(Mon, 05 Apr 2010 16:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Mon, 05 Apr 2010 16:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: asterisk
Version: 1:1.6.1.0~dfsg~rc3-1
Severity: important
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for asterisk.
CVE-2010-1224[0]:
| main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x
| before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce
| remote host access controls when CIDR notation "/0" is used in permit=
| and deny= configuration rules, which causes an improper arithmetic
| shift and might allow remote attackers to bypass ACL rules and access
| services from unauthorized hosts.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Patch: http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1224
http://security-tracker.debian.org/tracker/CVE-2010-1224
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Tzafrir Cohen <tzafrir@debian.org>
to control@bugs.debian.org.
(Mon, 05 Apr 2010 17:51:04 GMT) (full text, mbox, link).
Reply sent
to Tzafrir Cohen <tzafrir@debian.org>:
You have taken responsibility.
(Sun, 11 Apr 2010 03:51:03 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Sun, 11 Apr 2010 03:51:03 GMT) (full text, mbox, link).
Message #12 received at 576560-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:1.6.2.6-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive:
asterisk-config_1.6.2.6-1_all.deb
to main/a/asterisk/asterisk-config_1.6.2.6-1_all.deb
asterisk-dbg_1.6.2.6-1_amd64.deb
to main/a/asterisk/asterisk-dbg_1.6.2.6-1_amd64.deb
asterisk-dev_1.6.2.6-1_all.deb
to main/a/asterisk/asterisk-dev_1.6.2.6-1_all.deb
asterisk-doc_1.6.2.6-1_all.deb
to main/a/asterisk/asterisk-doc_1.6.2.6-1_all.deb
asterisk-h423_1.6.2.6-1_amd64.deb
to main/a/asterisk/asterisk-h423_1.6.2.6-1_amd64.deb
asterisk-sounds-main_1.6.2.6-1_all.deb
to main/a/asterisk/asterisk-sounds-main_1.6.2.6-1_all.deb
asterisk_1.6.2.6-1.debian.tar.gz
to main/a/asterisk/asterisk_1.6.2.6-1.debian.tar.gz
asterisk_1.6.2.6-1.dsc
to main/a/asterisk/asterisk_1.6.2.6-1.dsc
asterisk_1.6.2.6-1_amd64.deb
to main/a/asterisk/asterisk_1.6.2.6-1_amd64.deb
asterisk_1.6.2.6.orig.tar.gz
to main/a/asterisk/asterisk_1.6.2.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 576560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Apr 2010 21:18:39 +0300
Source: asterisk
Binary: asterisk asterisk-h423 asterisk-doc asterisk-dev asterisk-dbg asterisk-sounds-main asterisk-config
Architecture: source all amd64
Version: 1:1.6.2.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-h423 - H.323 protocol support for Asterisk
asterisk-sounds-main - Core Sound files for Asterisk (English)
Closes: 576560
Changes:
asterisk (1:1.6.2.6-1) unstable; urgency=low
.
* New upstream release.
- Fixes AST-2010-003 - CVE-2010-1224 (Closes: #576560).
* Patch h423-fix-makefile dropped: merged upstream.
* Patch safe_asterisk-config: Mostly merged upstream.
* Patch moh_datadir: Make the datadir the default base for moh files
if a relative path is used.
* Patch dahdi-fxsks-hookstate: a newer version.
* sounds/en/ is now an alternative. English sounds installed to
en_US_f_Allison .
* Removed empty es/ and fr/ directories under sounds/
* Patch settings_show_dirs: display the user values of more configurable
items.
* Patch dahdi_fxs_false_ringing: Fix having Astribank FXS-s keep ringing if
answered too soon.
* Patch followme_prompts: set proper vars when reading followme.conf
* Patch sqlite3_func_rename: Avoid issues with the name sqlite3_log .
* Patch h423-extra-target: Allow manuallly generate channels/h423/Makefile.ast
* And use it to generate the file before building, as otherwise some libs
are missing from the link command, resulting in chan_h423.so load fail.
Checksums-Sha1:
3103a926fae529804a3a1b7fbb937145c2005858 2086 asterisk_1.6.2.6-1.dsc
93c25c30fbe2003955362d9ce173367ecc6e5b49 23265995 asterisk_1.6.2.6.orig.tar.gz
fac280962c53cd62f82c94d73ab4c49deec22abd 61569 asterisk_1.6.2.6-1.debian.tar.gz
3253f442f5630317ee0deb90e4587d3cb89b1c78 1663360 asterisk-doc_1.6.2.6-1_all.deb
6385d5b800fd73aeddef203681927ac95f76678e 598498 asterisk-dev_1.6.2.6-1_all.deb
cdb2c0cc96b4d44a8b250eed702c65aaebb83930 2163346 asterisk-sounds-main_1.6.2.6-1_all.deb
b7603a83c95cf25090f1d2bb8c8b81e37429d5fd 676916 asterisk-config_1.6.2.6-1_all.deb
761492fea3fdfa5b70d37c662539f5499ae70aaf 3709860 asterisk_1.6.2.6-1_amd64.deb
a55c5ada96a33ff5502cde5e381faa4f4c3ae73c 498220 asterisk-h423_1.6.2.6-1_amd64.deb
d764cbfd1a675d1fe5a528abffaa3a40ab46d81a 21208364 asterisk-dbg_1.6.2.6-1_amd64.deb
Checksums-Sha256:
32ae543be3cfae146895b47d8f54bba1a869a1cecd43dbc3bcfbefe90611d5a8 2086 asterisk_1.6.2.6-1.dsc
2c724a53c40d12fc37100c1daa8312fd99eee26920907e3094c7c2b7d0e7eb61 23265995 asterisk_1.6.2.6.orig.tar.gz
015c49696624c147f2f5fd38aad50eb54d58e0c39b213bf1f120fa9ef8f5096a 61569 asterisk_1.6.2.6-1.debian.tar.gz
4a078708f2e57683eef3d37b6b402568c8186a445ad9e1f3bad6a98d46a1d143 1663360 asterisk-doc_1.6.2.6-1_all.deb
75e7cb88b981f320dedd7db525415d6ae8ebb1f9c0f5594ce05e5a3285296ec5 598498 asterisk-dev_1.6.2.6-1_all.deb
bccd3658b2fe2e44635a6407a11b58718dfae07ecd7da00f3c36976daf6c6b9d 2163346 asterisk-sounds-main_1.6.2.6-1_all.deb
63b11d11adb954f2a4df2146d94c117588cee3881b35675ff62837bc05a7755a 676916 asterisk-config_1.6.2.6-1_all.deb
5c06f129d39184daebb4062b3240fd1dda40a4e47cf59692b89a34c0787faea4 3709860 asterisk_1.6.2.6-1_amd64.deb
1b6c2ff93f2dec24475b58c0b3766b4636fd6536bb63c9e7796cede8934bbfa1 498220 asterisk-h423_1.6.2.6-1_amd64.deb
03df662ca57ee3271b790e174481d6c80eb8ae1eefb1aeaccb3948acca3bc713 21208364 asterisk-dbg_1.6.2.6-1_amd64.deb
Files:
80e5ff000ca585974e0dceed05c0d40c 2086 comm optional asterisk_1.6.2.6-1.dsc
f068ef2433eebdc7f6dd635986f36d77 23265995 comm optional asterisk_1.6.2.6.orig.tar.gz
084bac3bc9be7fa32a1d79824d05de38 61569 comm optional asterisk_1.6.2.6-1.debian.tar.gz
14c5c8dd0bccfe44c9e57a8801f2efc9 1663360 doc extra asterisk-doc_1.6.2.6-1_all.deb
a88f1ef1622ce147f32cbcb5a92b5784 598498 devel extra asterisk-dev_1.6.2.6-1_all.deb
9031b96a4b83708497de156d99d0f5ff 2163346 comm optional asterisk-sounds-main_1.6.2.6-1_all.deb
725680dd6945d4e18b0aa1533c519e9e 676916 comm optional asterisk-config_1.6.2.6-1_all.deb
a4e670744d7ba139edd44d8100743c55 3709860 comm optional asterisk_1.6.2.6-1_amd64.deb
1900b3c38d4bbc98d6a3e202dfea812a 498220 comm optional asterisk-h423_1.6.2.6-1_amd64.deb
ce1efc7d23f0e57319d9bf4ab2188961 21208364 debug extra asterisk-dbg_1.6.2.6-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvAykAACgkQxArWdkN9MotDRQCfQuv5yo20OYIPes4Rg9RiFVhr
A00AoMd+rFyfUjrNICUNPysHAVNo8ul9
=3yri
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 19 May 2010 07:36:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon