FEDORA-2014-16833 created by jcollie 6 years ago for Fedora 21
obsolete

The Asterisk Development Team has announced security releases for Certified Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.

These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

  • AST-2014-019: Remote Crash Vulnerability in WebSocket Server

When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read security advisory AST-2014-019, which was released at the same time as this announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2 http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2

The security advisory is available at:

This update has been submitted for testing by jcollie.

6 years ago

Taskotron: depcheck test PASSED on i386. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/20107/steps/runtask/logs/stdio (results are informative only)

Taskotron: depcheck test PASSED on x86_64. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/20107/steps/runtask/logs/stdio (results are informative only)

This update is currently being pushed to the Fedora 21 testing updates repository.

6 years ago

This update has been pushed to testing

6 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

6 years ago
User Icon westford commented & provided feedback 6 years ago
karma

Works for me using Google Voice and SIP - no regressions


Please login to add feedback.

Metadata
Type
security
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
6 years ago
in testing
6 years ago
BZ#1173002 CVE-2014-9374 asterisk: Remote Crash Vulnerability in WebSocket Server (AST-2014-019)
0
0
BZ#1173003 asterisk: Remote Crash Vulnerability in WebSocket Server (AST-2014-019) [fedora-all]
0
0

Automated Test Results