Hi, Working on it,
On Mon, Apr 23, 2012 at 08:55:58PM +0200, Moritz Muehlenhoff wrote: > Package: asterisk > Severity: grave > Tags: security At first glance: > > CVE-2012-2414 http://downloads.asterisk.org/pub/security/AST-2012-004.html This is for both Squeeze and Wheezy/Sid. The recommended fix in Wheezy/Sid is to upgrade to 1.8.11.1 . This complements AST-2011-006 (and, ahem, copies code from it). Scope is the same: * The attacker needs to already have access to a manager interface account (not unplausable, given that in many cases the security hole is actually in a web interface that controls Asterisk through the manager interface). * This hole only gives extra permissions is the sysadmin did not provide them (and in just about anywhere people just grant all manager interface permissions. But yeah, this should be fixed for those who properly use the manager interface. > > CVE-2012-2415 http://downloads.asterisk.org/pub/security/AST-2012-005.html Skinny is a nickname for SCCP, a propriatary used by some CISCO phones. So most people don't need it. That said, the module is enabled by default and it listens on TCP port 2000 by default. However exploting this seems to require a configured Skinny device (in e.g. /etc/asterisk/skinny.conf ), so it probably won't work on most systems (e.g. a random system that has both UDP port 4569 open and TCP port 2000 open). > > CVE-2012-2416 http://downloads.asterisk.org/pub/security/AST-2012-006.html This seems to only require the remote attacker to be able to establish a SIP call to Asterisk. Either being authenticated or as a guest if guests are allowed. Only applies to Wheezy/Sid: the code in Squeeze does not seem to support UPDATE. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
