Date: 16 December 2009
References: ESB-2009.0026 ESB-2009.0318 ESB-2009.1487.2 ESB-2009.1579
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1641
New asterisk packages fix several vulnerabilities and support for asterisk
discontinued for oldstable distribution
16 December 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: asterisk
Publisher: Debian
Operating System: Debian GNU/Linux 5
Impact/Access: Access Privileged Data -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-4055 CVE-2009-3727 CVE-2009-0041
CVE-2008-7220 CVE-2008-3903 CVE-2007-2383
Reference: ESB-2009.1579
ESB-2009.1487.2
ESB-2009.0318
ESB-2009.0026
Original Bulletin:
http://www.debian.org/security/2009/dsa-1952
Comment: This bulletin contains two (2) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1952-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
December 15, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : asterisk
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0041 CVE-2008-3903 CVE-2009-3727 CVE-2008-7220 CVE-2009-4055 CVE-2007-2383
Debian Bug : 513413 522528 554487 554486 559103
Several vulnerabilities have been discovered in asterisk, an Open Source
PBX and telephony toolkit. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-0041
It is possible to determine valid login names via probing, due to the
IAX2 response from asterisk (AST-2009-001).
CVE-2008-3903
It is possible to determine a valid SIP username, when Digest
authentication and authalwaysreject are enabled (AST-2009-003).
CVE-2009-3727
It is possible to determine a valid SIP username via multiple crafted
REGISTER messages (AST-2009-008).
CVE-2008-7220 CVE-2007-2383
It was discovered that asterisk contains an obsolete copy of the
Prototype JavaScript framework, which is vulnerable to several security
issues. This copy is unused and now removed from asterisk
(AST-2009-009).
CVE-2009-4055
It was discovered that it is possible to perform a denial of service
attack via RTP comfort noise payload with a long data length
(AST-2009-010).
For the stable distribution (lenny), these problems have been fixed in
version 1:1.4.21.2~dfsg-3+lenny1.
The security support for asterisk in the oldstable distribution (etch)
has been discontinued before the end of the regular Etch security
maintenance life cycle. You are strongly encouraged to upgrade to
stable.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1:1.6.2.0~rc7-1.
We recommend that you upgrade your asterisk packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg.orig.tar.gz
Size/MD5 checksum: 5295205 f641d1140b964e71e38d27bf3b2a2d80
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc
Size/MD5 checksum: 1984 69dcaf09361976f55a053512fb26d7b5
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
Size/MD5 checksum: 150880 ba6e81cd6ab443ef04467d57a1d954b3
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 1897736 f0b7912d2ea0377bbb3c56cbc067d230
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 478858 b483c77c21df4ae9cea8a4277f96966a
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 32514900 8d959ce35cc61436ee1e09af475459d1
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 427650 fb8a7dd925c8d209f3007e2a7d6602d8
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 13039044 3fdf468968472853a921817681130898
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 393068 f6360d4fee30fd4e915ce6f381dd5e81
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 2761948 017041bb2c755b0e404351134d40808a
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 397512 6f2936b9f76618b89c7994d094c372cf
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 13086704 ed835ac48b8b0fd614ebc960007b508b
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 2605278 dc7e3fe7307e402d8d59504c89434a84
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 12770542 6b450a1fcae626174db68a0ec9c831be
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 401766 fee883c4784ad9075da742d83f4baaa3
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 2510430 cd143e5ccf034d4eba145b2deabe87bd
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 394588 d3e10caf1c6d790306701d9f34ac4fa4
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 2540364 bb48863ea50a58f2358768c431fa1ca0
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 12840170 d02ebc2ddb92f53bcbd089bc4d41bd10
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_hppa.deb
Size/MD5 checksum: 12871212 af107f8cc96f9b0b7030ec28a1967f13
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_hppa.deb
Size/MD5 checksum: 2780732 8534dd0bd7e9a46264357beeb692df19
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_hppa.deb
Size/MD5 checksum: 412474 ac2070408bb67f325bd6ad7d3cbf032d
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
Size/MD5 checksum: 2407006 2bbd456e2d36a734ac0789b6ff7e9d22
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Size/MD5 checksum: 12937820 46acd420961efc6c932d94eec0452ad3
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
Size/MD5 checksum: 388450 7c9e49cb8610a577d63f3fb77ecd92da
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_ia64.deb
Size/MD5 checksum: 13034554 8ca056f64fd91cc8597716834c894ce9
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_ia64.deb
Size/MD5 checksum: 426588 9adc9d1948c77775cea4f248c7f261ae
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_ia64.deb
Size/MD5 checksum: 3469020 6fcb11fa7b42f4cdce76c5c59a44b45c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_mips.deb
Size/MD5 checksum: 381612 8373d46bc9e95e7f15821174f7432652
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_mips.deb
Size/MD5 checksum: 13433728 245c4ec2754177b5082d809733dc6e28
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_mips.deb
Size/MD5 checksum: 2464570 6095542e8813aa8b64d025fe6c23697d
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_powerpc.deb
Size/MD5 checksum: 2806054 30cba312761b5b442ec3fbecf457e2c2
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_powerpc.deb
Size/MD5 checksum: 391488 ccb3c29a722a0a375aac06bd5937902c
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_powerpc.deb
Size/MD5 checksum: 13267248 e867f0f519ddf844b366739c62a88869
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_sparc.deb
Size/MD5 checksum: 2490436 434bf630723e57b97273291e780953c3
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_sparc.deb
Size/MD5 checksum: 12742386 004d7b7016529815d21e2a086c20c718
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_sparc.deb
Size/MD5 checksum: 389034 601d2368a23b3ee43385b8c28928ba24
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksniOkACgkQ62zWxYk/rQf4YgCePUowSZn5DwLJ98DvEL7T1mvC
hZYAnicdU3gpH6ErJT0EG2JRC33uaHEv
=qf6k
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1952-2 security@debian.org
http://www.debian.org/security/ Steffen Joeris
December 15, 2009 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : asterisk
Security support for asterisk, an Open Source PBX and telephony toolkit,
has been discontinued for the oldstable distribution (etch).
The current version in oldstable is not supported by upstream anymore
and is affected by several security issues. Backporting fixes for these
and any future issues has become unfeasible and therefore we need to
drop our security support for the version in oldstable. We recommend
that all asterisk users upgrade to the stable distribution (lenny).
- - ------------------------------------------------------------------------
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksniaEACgkQ62zWxYk/rQcCcwCgigVQZXQlWppjqlX9emMHDrIn
1qAAn2tZkODZpn+aHFtxylMZJYoWE54S
=aJJU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLKC7sNVH5XJJInbgRAgXiAJkBniIzdoZZjFcs3jX4QAd+2ybJwACggtrE
rXXPSHOuT/EGged3EsjZRUY=
=KaOE
-----END PGP SIGNATURE-----
|