Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Jan 2015 11:20:52 +0000 (UTC)
From:      Guido Falsi <madpilot@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r378113 - head/security/vuxml
Message-ID:  <201501291120.t0TBKqIt062812@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: madpilot
Date: Thu Jan 29 11:20:51 2015
New Revision: 378113
URL: https://svnweb.freebsd.org/changeset/ports/378113
QAT: https://qat.redports.org/buildarchive/r378113/

Log:
  Document asterisk security issues.
  
  While here, add CVE number to a previous asterisk entry.

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Jan 29 11:12:00 2015	(r378112)
+++ head/security/vuxml/vuln.xml	Thu Jan 29 11:20:51 2015	(r378113)
@@ -57,6 +57,85 @@ Notes:
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="7656fc62-a7a7-11e4-96ba-001999f8d30b">
+    <topic>asterisk -- Mitigation for libcURL HTTP request injection vulnerability</topic>
+    <affects>
+      <package>
+	<name>asterisk</name>
+	<range><lt>1.8.32.2</lt></range>
+      </package>
+      <package>
+	<name>asterisk11</name>
+	<range><lt>11.15.1</lt></range>
+      </package>
+      <package>
+	<name>asterisk13</name>
+	<range><lt>13.1.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The Asterisk project reports:</p>
+	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">;
+	  <p>CVE-2014-8150 reported an HTTP request injection
+	  vulnerability in libcURL. Asterisk uses libcURL in its
+	  func_curl.so module (the CURL() dialplan function), as
+	  well as its res_config_curl.so (cURL realtime backend)
+	  modules.</p>
+	  <p>Since Asterisk may be configured to allow for user-supplied
+	  URLs to be passed to libcURL, it is possible that an
+	  attacker could use Asterisk as an attack vector to inject
+	  unauthorized HTTP requests if the version of libcURL
+	  installed on the Asterisk server is affected by
+	  CVE-2014-8150.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://downloads.asterisk.org/pub/security/AST-2015-002.html</url>;
+    </references>
+    <dates>
+      <discovery>2015-01-12</discovery>
+      <entry>2015-01-29</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="2eeb6652-a7a6-11e4-96ba-001999f8d30b">
+    <topic>asterisk -- File descriptor leak when incompatible codecs are offered</topic>
+    <affects>
+      <package>
+	<name>asterisk13</name>
+	<range><lt>13.1.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The Asterisk project reports:</p>
+	<blockquote cite="http://www.asterisk.org/downloads/security-advisories">;
+	  <p>Asterisk may be configured to only allow specific audio
+	  or video codecs to be used when communicating with a
+	  particular endpoint. When an endpoint sends an SDP offer
+	  that only lists codecs not allowed by Asterisk, the offer
+	  is rejected. However, in this case, RTP ports that are
+	  allocated in the process are not reclaimed.</p>
+	  <p>This issue only affects the PJSIP channel driver in
+	  Asterisk. Users of the chan_sip channel driver are not
+	  affected.</p>
+	  <p>As the resources are allocated after authentication,
+	  this issue only affects communications with authenticated
+	  endpoints.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://downloads.asterisk.org/pub/security/AST-2015-001.html</url>;
+    </references>
+    <dates>
+      <discovery>2015-01-06</discovery>
+      <entry>2015-01-29</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="0765de84-a6c1-11e4-a0c1-c485083ca99c">
     <topic>glibc -- gethostbyname buffer overflow</topic>
     <affects>
@@ -1372,6 +1451,7 @@ Notes:
     </description>
     <references>
       <url>http://downloads.asterisk.org/pub/security/AST-2014-019.html</url>;
+      <cvename>CVE-2014-9374</cvename>
     </references>
     <dates>
       <discovery>2014-10-30</discovery>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501291120.t0TBKqIt062812>