asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Debian Bug report logs - #704114
asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Date: Thu, 28 Mar 2013 06:23:32 +0100

Package: asterisk
Severity: grave
Tags: security patch upstream

Hi,

the following vulnerabilities were published for asterisk.

CVE-2013-2685[0]:
Buffer Overflow Exploit Through SIP SDP Header

CVE-2013-2686[1]:
Denial of Service in HTTP server

CVE-2013-2264[2]:
Username disclosure in SIP channel driver

For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
doublecheck that squeeze, testing and wheezy are not affected?

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-2685
    http://downloads.asterisk.org/pub/security/AST-2013-001.html
[1] http://security-tracker.debian.org/tracker/CVE-2013-2686
    http://downloads.asterisk.org/pub/security/AST-2013-002.html
[2] http://security-tracker.debian.org/tracker/CVE-2013-2264
    http://downloads.asterisk.org/pub/security/AST-2013-003.html
[3] https://issues.asterisk.org/jira/browse/ASTERISK-20901

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 704114@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 704114@bugs.debian.org

Subject: Re: Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Date: Thu, 28 Mar 2013 09:37:30 +0200

On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> Package: asterisk
> Severity: grave
> Tags: security patch upstream
> 
> Hi,
> 
> the following vulnerabilities were published for asterisk.
> 
> CVE-2013-2685[0]:
> Buffer Overflow Exploit Through SIP SDP Header
> 
> CVE-2013-2686[1]:
> Denial of Service in HTTP server
> 
> CVE-2013-2264[2]:
> Username disclosure in SIP channel driver
> 
> For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> doublecheck that squeeze, testing and wheezy are not affected?

According to the Upstream advisories, both are in effect for 1.8 .
Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
1.6.2 in Stable.

> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] http://security-tracker.debian.org/tracker/CVE-2013-2685
>     http://downloads.asterisk.org/pub/security/AST-2013-001.html
> [1] http://security-tracker.debian.org/tracker/CVE-2013-2686
>     http://downloads.asterisk.org/pub/security/AST-2013-002.html
> [2] http://security-tracker.debian.org/tracker/CVE-2013-2264
>     http://downloads.asterisk.org/pub/security/AST-2013-003.html
> [3] https://issues.asterisk.org/jira/browse/ASTERISK-20901
> 
> Please adjust the affected versions in the BTS as needed.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #15 received at 704114@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

Cc: 704114@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Date: Fri, 29 Mar 2013 06:53:31 +0100

Hi Tzafrir

On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > Package: asterisk
> > Severity: grave
> > Tags: security patch upstream
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for asterisk.
> > 
> > CVE-2013-2685[0]:
> > Buffer Overflow Exploit Through SIP SDP Header
> > 
> > CVE-2013-2686[1]:
> > Denial of Service in HTTP server
> > 
> > CVE-2013-2264[2]:
> > Username disclosure in SIP channel driver
> > 
> > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > doublecheck that squeeze, testing and wheezy are not affected?
> 
> According to the Upstream advisories, both are in effect for 1.8 .
> Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> 1.6.2 in Stable.

Thank you for confirming! (note my above comment was related only to
one of the issues, CVE-2013-2685).

Could you prepare updates to be included via unstable in wheezy?

Thank you for your work!

Regards,
Salvatore

Message #20 received at 704114@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 704114@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Date: Fri, 5 Apr 2013 15:24:29 +0200

Hi Tzafrir

On Fri, Mar 29, 2013 at 06:53:31AM +0100, Salvatore Bonaccorso wrote:
> Hi Tzafrir
> 
> On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> > On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > > Package: asterisk
> > > Severity: grave
> > > Tags: security patch upstream
> > > 
> > > Hi,
> > > 
> > > the following vulnerabilities were published for asterisk.
> > > 
> > > CVE-2013-2685[0]:
> > > Buffer Overflow Exploit Through SIP SDP Header
> > > 
> > > CVE-2013-2686[1]:
> > > Denial of Service in HTTP server
> > > 
> > > CVE-2013-2264[2]:
> > > Username disclosure in SIP channel driver
> > > 
> > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > > doublecheck that squeeze, testing and wheezy are not affected?
> > 
> > According to the Upstream advisories, both are in effect for 1.8 .
> > Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> > 1.6.2 in Stable.
> 
> Thank you for confirming! (note my above comment was related only to
> one of the issues, CVE-2013-2685).
> 
> Could you prepare updates to be included via unstable in wheezy?

Ping? Did you had a chance to look at it already?

Thanks a lot, and

Regards,
Salvatore

Message #25 received at 704114@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 704114@bugs.debian.org

Subject: Re: Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Date: Sat, 6 Apr 2013 15:25:20 +0300

On Fri, Apr 05, 2013 at 03:24:29PM +0200, Salvatore Bonaccorso wrote:
> Hi Tzafrir
> 
> On Fri, Mar 29, 2013 at 06:53:31AM +0100, Salvatore Bonaccorso wrote:
> > Hi Tzafrir
> > 
> > On Thu, Mar 28, 2013 at 09:37:30AM +0200, Tzafrir Cohen wrote:
> > > On Thu, Mar 28, 2013 at 06:23:32AM +0100, Salvatore Bonaccorso wrote:
> > > > Package: asterisk
> > > > Severity: grave
> > > > Tags: security patch upstream
> > > > 
> > > > Hi,
> > > > 
> > > > the following vulnerabilities were published for asterisk.
> > > > 
> > > > CVE-2013-2685[0]:
> > > > Buffer Overflow Exploit Through SIP SDP Header
> > > > 
> > > > CVE-2013-2686[1]:
> > > > Denial of Service in HTTP server
> > > > 
> > > > CVE-2013-2264[2]:
> > > > Username disclosure in SIP channel driver
> > > > 
> > > > For CVE-2013-2685 the tracker[3] mentions only 1.11.x. Could you
> > > > doublecheck that squeeze, testing and wheezy are not affected?
> > > 
> > > According to the Upstream advisories, both are in effect for 1.8 .
> > > Didn't yet check backporting it (to our 1.8 in Testing/Unstable) and to
> > > 1.6.2 in Stable.
> > 
> > Thank you for confirming! (note my above comment was related only to
> > one of the issues, CVE-2013-2685).
> > 
> > Could you prepare updates to be included via unstable in wheezy?
> 
> Ping? Did you had a chance to look at it already?

Update:

AST-2013-001 (CVE-2013-2685):
  Not applicable to either Stable or Testing/Unstable:
  new code not included yet even in 1.8.

AST-2013-002 (CVE-2013-2686):
  Applies to Testing/Unstable but not to Stable:
  Testing/Unstable: see patch from Upstream. Stable: httpd code does not
  read HTTP POST variables.

AST-2013-003 (CVE-2013-2264):
  Applies to both Testing and Unstable.
  Testing/Unstable: see patch from Upstream. Stable: Patch backported.

For Unstable/Testing I include two other simple bug fixes. Both trivial
backports from later 1.8.x reevisions.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir

Message #30 received at 704114-close@bugs.debian.org (full text, mbox, reply):

From: Tzafrir Cohen <tzafrir@debian.org>

To: 704114-close@bugs.debian.org

Subject: Bug#704114: fixed in asterisk 1:1.8.13.1~dfsg-2

Date: Sat, 06 Apr 2013 12:47:55 +0000

Source: asterisk
Source-Version: 1:1.8.13.1~dfsg-2

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tzafrir Cohen <tzafrir@debian.org> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Apr 2013 14:15:41 +0300
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:1.8.13.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Tzafrir Cohen <tzafrir@debian.org>
Description: 
 asterisk   - Open Source Private Branch Exchange (PBX)
 asterisk-config - Configuration files for Asterisk
 asterisk-dahdi - DAHDI devices support for the Asterisk PBX
 asterisk-dbg - Debugging symbols for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
 asterisk-mobile - Bluetooth phone support for the Asterisk PBX
 asterisk-modules - loadable modules for the Asterisk PBX
 asterisk-mp3 - MP3 playback support for the Asterisk PBX
 asterisk-mysql - MySQL database protocol support for the Asterisk PBX
 asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
 asterisk-voicemail - simple voicemail support for the Asterisk PBX
 asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
 asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
Closes: 545272 614786 697230 701505 704114
Changes: 
 asterisk (1:1.8.13.1~dfsg-2) unstable; urgency=high
 .
   * Patches backported from Asterisk 1.8.19.1 (Closes: #697230):
     - Patch AST-2012-014 (CVE-2012-5976) - fixes Crashes due to large stack
       allocations when using TCP.
       The following two fixes were also pulled in order to easily apply it:
       - Patch fix-sip-tcp-no-FILE - Switch to reading with a recv loop
       - Patch fix-sip-tls-leak - Memory leak in the SIP TLS code
     - Patch AST-2012-015 (CVE-2012-5977) - Denial of Service Through
       Exploitation of Device State Caching
   * Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505).
   * README.Debian: document running the testsuite.
   * Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
   * Patches backported from Asterisk 1.8.20.2 (Closes: #704114):
     - Patch AST-2013-002 (CVE-2012-2686): Prevent DoS in HTTP server with
       a large POST.
     - Patch AST-2013-003 (CVE-2012-2264): Prevent username disclosure in
       SIP channel driver.
   * Patch bluetooth_bind - fix breakage of chan_mobile (Closes: #614786).
Checksums-Sha1: 
 44deeaec180e8ea1a8b5fadcb437b47f8e0a9210 2997 asterisk_1.8.13.1~dfsg-2.dsc
 47bf9b69eda991176312c44e547e18535e3d289f 383725 asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 682838a4acda2dd6ac6815a1e0e10dbbdf14a773 1990642 asterisk-doc_1.8.13.1~dfsg-2_all.deb
 ecdd8185947fad10b842c43808f712fa10fb4147 958432 asterisk-dev_1.8.13.1~dfsg-2_all.deb
 8fa7dff25ed7098053ad52bb7c4816a20af44a58 999336 asterisk-config_1.8.13.1~dfsg-2_all.deb
 e0d01dfea3849b2231f4be962cd24d413d36a694 1773024 asterisk_1.8.13.1~dfsg-2_amd64.deb
 2fc7e7b14e54911abafe25b88a96846b7157a3ad 2835034 asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 ad62ed168388d782add5a9a22b20c56572a326eb 924448 asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 1402f4b7688da5eb8edb8632ff5013f9252ec365 693284 asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 9ea2cc9639f3344f6af7745d9aec8cdf82025a1b 710612 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 42b7a0cd5d37eb16d02e2c60619b4f78428f4aeb 699496 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 1e2492cd001cc8bb145bf21ce4e3d9c5aa5e61d0 1037736 asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
 5b6d842fce8c1a512091cf89e28262a9d70c544e 632852 asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 8e0bfa80bd7efa3e538d417da9349db2cac49c59 658036 asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 55e6eb43719cfc7e398d16818f80d4d9f7ddbe80 646350 asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 4bc9e9f3b1e262b4a18b1e9132ca8b9794378641 30063412 asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Checksums-Sha256: 
 89849cdc7dbfe6a58641d00f47451d8b14b33323d11869cffaf353cff7c3d324 2997 asterisk_1.8.13.1~dfsg-2.dsc
 164fa8209cf09ca0d55ccff68ca5c0106925fb859778e4cdb8c11db70ded35a4 383725 asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 65fff2025ff9f2ca54ff831138f5fffc37c6468f718358b99694d350d384dd1d 1990642 asterisk-doc_1.8.13.1~dfsg-2_all.deb
 6973b0577ae30a7eb5fe06ef203011cd559f4e4b523549663c36122af1a0a3d5 958432 asterisk-dev_1.8.13.1~dfsg-2_all.deb
 2f0610a11d5cde2fc2a2250009040f7d2235d233ee0165cdda387ea9e1d09692 999336 asterisk-config_1.8.13.1~dfsg-2_all.deb
 2f0ae2081b1274aa63393fdde89c263885938da012cecb719e583f903c2fff95 1773024 asterisk_1.8.13.1~dfsg-2_amd64.deb
 15807f0011a6eaa52247e62cf7f53db2a0ebaae9ad036c5c326e587276d3bf2f 2835034 asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 455b97dc22c5d1115e7f48a29f7682b71f52099c514df0f75944b1e86dfdae00 924448 asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 729a9596ca446331d110aaf7abf20990e788ed5d0de7692af10b756432f2a7d8 693284 asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 d26a732649fcb6977fb678741335ee58c7d2cf82ce5c7e6708a174ccb86a144e 710612 asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 5a15ec459ef6c20a4a1ed87d1aff9f2ba43c60f750499f70518344c111a1d70c 699496 asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 eccce382fd00fb608609fa9a2060f870348c99fb73f35766a3f67523ac16e65b 1037736 asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
 562d61c503610bcb0c68d1bdf8728ae448ef2c9c2a6665c5b7ce0a3773c15474 632852 asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 e83d2c9aced0eef64dd9cb29d5104dd8bd88c9617e484bc4a6fedec47b99ea34 658036 asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 1438f69b175baf1960ba7e8c8a2fe8453982d497f00197458a309ffd4f44c050 646350 asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 88d736ece78908ab1788b4c6e21ec35417bdfb9b1c285c56fd93b2a2223adb72 30063412 asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb
Files: 
 6417f1680400a558fc88d1fe3489a158 2997 comm optional asterisk_1.8.13.1~dfsg-2.dsc
 e3e59cb57da45bfa59bd9d44e87fd8f9 383725 comm optional asterisk_1.8.13.1~dfsg-2.debian.tar.gz
 6621a43552c9007fe39a9d64f36e009e 1990642 doc extra asterisk-doc_1.8.13.1~dfsg-2_all.deb
 012ea04e3c90958b57f4f2af077a8e69 958432 devel extra asterisk-dev_1.8.13.1~dfsg-2_all.deb
 f335f94a1cce11392816b7984a455d6a 999336 comm optional asterisk-config_1.8.13.1~dfsg-2_all.deb
 e924e3d1ab119404299ef1626e5d9454 1773024 comm optional asterisk_1.8.13.1~dfsg-2_amd64.deb
 12ba4a5c0535905238d6e4b8da6ad666 2835034 libs optional asterisk-modules_1.8.13.1~dfsg-2_amd64.deb
 ba55a3695011d6e53eb6a8cc15ea5402 924448 comm optional asterisk-dahdi_1.8.13.1~dfsg-2_amd64.deb
 8946a745e196176c5991ac6249141427 693284 comm optional asterisk-voicemail_1.8.13.1~dfsg-2_amd64.deb
 86992f9a500b3c59ae923a95f0683590 710612 comm optional asterisk-voicemail-imapstorage_1.8.13.1~dfsg-2_amd64.deb
 705ced4dc7b61c1a74577ff9ec1a8b3d 699496 comm optional asterisk-voicemail-odbcstorage_1.8.13.1~dfsg-2_amd64.deb
 0ef84fe24f2c13ba539b59c6dbe9546b 1037736 comm optional asterisk-ooh423_1.8.13.1~dfsg-2_amd64.deb
 29a7c7638b4f0d8a017c9dbf79f6c34f 632852 comm optional asterisk-mp3_1.8.13.1~dfsg-2_amd64.deb
 2273410dc983bcaac8506b64d6412b0d 658036 comm optional asterisk-mysql_1.8.13.1~dfsg-2_amd64.deb
 65ac1a8e20069544dbc588b523777c38 646350 comm optional asterisk-mobile_1.8.13.1~dfsg-2_amd64.deb
 9747dd54d35010cae24da3bab606187c 30063412 debug extra asterisk-dbg_1.8.13.1~dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlFgEIoACgkQxArWdkN9MoskNQCeKhYqVSoK9vwajzANRV322clg
dw0AoK3CX1VlQjzsJQ54lReRt6awxnyE
=pWhD
-----END PGP SIGNATURE-----

Message #35 received at 704114@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Tzafrir Cohen <tzafrir.cohen@xorcom.com>

Cc: 704114@bugs.debian.org

Subject: Re: Bug#704114: asterisk: asterisk security advisories: AST-2013-001 / AST-2013-002 / AST-2013-003

Date: Sun, 7 Apr 2013 21:54:12 +0200

Hi Tzafrir

On Sat, Apr 06, 2013 at 03:25:20PM +0300, Tzafrir Cohen wrote:
> Update:
> 
> AST-2013-001 (CVE-2013-2685):
>   Not applicable to either Stable or Testing/Unstable:
>   new code not included yet even in 1.8.
> 
> AST-2013-002 (CVE-2013-2686):
>   Applies to Testing/Unstable but not to Stable:
>   Testing/Unstable: see patch from Upstream. Stable: httpd code does not
>   read HTTP POST variables.
> 
> AST-2013-003 (CVE-2013-2264):
>   Applies to both Testing and Unstable.
>   Testing/Unstable: see patch from Upstream. Stable: Patch backported.
> 
> For Unstable/Testing I include two other simple bug fixes. Both trivial
> backports from later 1.8.x reevisions.

Thanks a lot for your updated information. I have updated according to
this and the closing version in unstable the security tracker.

[Btw, I think there where two typos for the CVE's in the latest
changelog for unstable, which might be worth fixing in a future upload
to unstable (only to keep the references correct, should have been
CVE-2013-2686 and CVE-2013-2264).]

Thanks for your work!

Regards,
Salvatore

Send a report that this bug log contains spam.