On Tue, Dec 17, 2013 at 06:17:09PM +0100, Moritz Muehlenhoff wrote: > On Tue, Dec 17, 2013 at 05:55:14PM +0200, Tzafrir Cohen wrote: > > On Tue, Dec 17, 2013 at 07:33:53AM +0100, Moritz Muehlenhoff wrote: > > > Package: asterisk > > > Severity: grave > > > Tags: security > > > > > > Hi, > > > please see > > > http://downloads.asterisk.org/pub/security/AST-2013-006.html and > > > http://downloads.asterisk.org/pub/security/AST-2013-007.html > > > > Looking at them. At first glance: both of them also affect 1.6.2 from > > old-stable. AST-2013-007 introduces a new configuration item and we have > > to see what the sane default for it should be. > > I think we should follow upstream and keep live_dangerously activated > We can add a note to the advisory what setting must be tweaked.
Attached are debdiffs for oldstable and stable uploads. I couldn't find CVE entries. I added an extra bug fix to help me patch the issue, for a bug that is marginally a remote crash bug: https://issues.asterisk.org/jira/browse/ASTERISK-20658 (Asterisk Realtime means getting some of Asterisk's configuration from a database) More on AST-2013-007: (maybe shorten it a bit?) Asterisk employs in its dialplan and varois other places a syntax for varable expantion: ${VAR} expands the value of ${VAR}. Similarly there are also some functions that use a similar syntax: ${RANDOM(5)} or ${CUT(20-30-40,-,2)}. Some are more potent, however such as SHELL (run a shell command and return the output). The variables were primarily meant for the Asterisk dialplan, but may be accessed through several other interfaces. For instance, the AMI (Asterisk Manager Interface) provides a GetVar command. This will also expand functions. With the fix for AST-2013-007, a new knob was added in order to allow the system adminitrator to disable expantion of "dangerous" functions (such as SHELL()) from any interface which is not the dialplan. In Stable and Oldstable this knob is disabled by default. To enable it add the following line to the section '[options]' in /etc/asterisk/asterisk.conf (and restart asterisk) live_dangerously = no -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
