asterisk: (1) Buffer Overflow and (2) User Dialplan Permission Escalation
Asterisk Project Security Advisory - AST-2013-006
Product Asterisk
Summary Buffer Overflow when receiving odd length 16 bit SMS
message
Nature of Advisory Buffer Overflow and Remote Crash
Susceptibility Remote SMS Messages
Severity Major
Exploits Known None
Reported On September 26, 2013
Reported By Jan Juergens
Posted On December 16, 2013
Last Updated On December 16, 2013
Advisory Contact Scott Griepentrog <sgriepentrog AT digium DOT com>
CVE Name Pending
*Details*: http://seclists.org/fulldisclosure/2013/Dec/139
*Patches*:
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.diff Asterisk 1.8
http://downloads.asterisk.org/pub/security/AST-2013-006-10.diff Asterisk 10
http://downloads.asterisk.org/pub/security/AST-2013-006-10-digiumphones.diff Asterisk
10-digiumphones
http://downloads.asterisk.org/pub/security/AST-2013-006-11.diff Asterisk 11
http://downloads.asterisk.org/pub/security/AST-2013-006-1.8.15.diff Certified
Asterisk 1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-006-11.2.diff Certified
Asterisk 11.2
Links: https://issues.asterisk.org/jira/browse/ASTERISK-22590
*Asterisk Project Security Advisory - AST-2013-007*
Product Asterisk
Summary Asterisk Manager User Dialplan Permission Escalation
Nature of Advisory Permission Escalation
Susceptibility Remote Authenticated Sessions
Severity Minor
Exploits Known None
Reported On November 25, 2013
Reported By Matt Jordan
Posted On December 16, 2013
Last Updated On December 16, 2013
Advisory Contact David Lee < dlee AT digium DOT com >
CVE Name Pending
*Details*: http://seclists.org/fulldisclosure/2013/Dec/140
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x All Versions
Asterisk Open Source 10.x All Versions
Asterisk with Digiumphones 10.x-digiumphones All Versions
Asterisk Open Source 11.x All Versions
Certified Asterisk 1.8.x All Versions
Certified Asterisk 11.x All Versions
Corrected In
Product Release
Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1
Asterisk with Digiumphones 10.12.4-digiumphones
Certified Asterisk 1.8.15-cert4, 11.2-cert3
*Patches*:
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff Asterisk 1.8
http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff Asterisk 10
http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diff Asterisk
10-digiumphones
http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff Asterisk 11
http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff Certified
Asterisk 1.8.15
http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff Certified
Asterisk 11.2
Links: https://issues.asterisk.org/jira/browse/ASTERISK-22905
(from redmine: issue id 2503, created on 2013-12-17, closed on 2013-12-17)
- Relations:
- child #2504 (closed)
- child #2505 (closed)
- child #2506 (closed)
- child #2507 (closed)