| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1S8Inc-000439-EU@mail.digium.com>
Date: Thu, 15 Mar 2012 17:05:32 -0500
From: "Asterisk Security Team" <security@...erisk.org>
To: full-disclosure@...ts.grok.org.uk
Subject: AST-2012-003: Stack Buffer Overflow in HTTP
Manager
Asterisk Project Security Advisory - AST-2012-003
Product Asterisk
Summary Stack Buffer Overflow in HTTP Manager
Nature of Advisory Exploitable Stack Buffer Overflow
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On 03/15/2012
Reported By Russell Bryant
Posted On 03/15/2012
Last Updated On March 15, 2012
Advisory Contact Matt Jordan < mjordan AT digium DOT com >
CVE Name
Description An attacker attempting to connect to an HTTP session of the
Asterisk Manager Interface can send an arbitrarily long
string value for HTTP Digest Authentication. This causes a
stack buffer overflow, with the possibility of remote code
injection.
Resolution Upgrade to one of the versions of Asterisk listed in the
"Corrected In" section, or apply a patch specified in the
"Patches" section.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All versions
Asterisk Open Source 10.x All versions
Corrected In
Product Release
Asterisk Open Source 1.8.10.1
Asterisk Open Source 10.2.1
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2012-003-1.8.diff v1.8
http://downloads.asterisk.org/pub/security/AST-2012-003-10.diff v10
Links https://issues.asterisk.org/jira/browse/ASTERISK-19542
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html
Revision History
Date Editor Revisions Made
03-15-2012 Matt Jordan Initial release
Asterisk Project Security Advisory - AST-2012-003
Copyright (c) 2012 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists