[AsteriskBrasil] Fwd: [asterisk-dev] AST-2014-001: Stack Overflow in HTTP Processing of Cookie Headers.

Sylvio Jollenbeck sylvio.jollenbeck em gmail.com
Segunda Março 10 18:18:30 BRT 2014


PSC, Super Importante....

---------- Forwarded message ----------
From: Asterisk Security Team <security em asterisk.org>
Date: 2014-03-10 18:06 GMT-03:00
Subject: [asterisk-dev] AST-2014-001: Stack Overflow in HTTP Processing of
Cookie Headers.
To: asterisk-dev em lists.digium.com


               Asterisk Project Security Advisory - AST-2014-001

         Product        Asterisk
         Summary        Stack Overflow in HTTP Processing of Cookie Headers.
    Nature of Advisory  Denial Of Service
      Susceptibility    Remote Unauthenticated Sessions
         Severity       Moderate
      Exploits Known    No
       Reported On      February 21, 2014
       Reported By      Lucas Molas, researcher at Programa STIC, Fundacion

                        Dr. Manuel Sadosky, Buenos Aires, Argentina
        Posted On       March 10, 2014
     Last Updated On    March 10, 2014
     Advisory Contact   Richard Mudgett <rmudgett AT digium DOT com>
         CVE Name       CVE-2014-2286

    Description  Sending a HTTP request that is handled by Asterisk with a
                 large number of Cookie headers could overflow the stack.
                 You could even exhaust memory if you sent an unlimited
                 number of headers in the request.

    Resolution  The patched versions now handle headers in a fashion that
                prevents a stack overflow. Users should upgrade to a
                corrected version, apply the released patches, or disable
                HTTP support.

                               Affected Versions
                Product              Release Series
         Asterisk Open Source            1.8.x       All versions
         Asterisk Open Source             11.x       All versions
         Asterisk Open Source             12.x       All versions
          Certified Asterisk             1.8.x       All versions
          Certified Asterisk              11.x       All versions

                                  Corrected In
                 Product                              Release
          Asterisk Open Source               1.8.26.1, 11.8.1, 12.1.1
           Certified Asterisk                1.8.15-cert5, 11.6-cert2

                                      Patches
                                 SVN URL
Revision
   http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diff
 Asterisk
                                                                       1.8
   http://downloads.asterisk.org/pub/security/AST-2014-001-11.diff
Asterisk
                                                                       11
   http://downloads.asterisk.org/pub/security/AST-2014-001-12.diff
Asterisk
                                                                       12
   http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.15.diffCertified

 Asterisk

 1.8.15
   http://downloads.asterisk.org/pub/security/AST-2014-001-11.6.diff
Certified

 Asterisk
                                                                       11.6

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23340

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2014-001.pdf and
    http://downloads.digium.com/pub/security/AST-2014-001.html

                                Revision History
          Date                  Editor                 Revisions Made
    03/10/14           Richard Mudgett           Initial Revision.

               Asterisk Project Security Advisory - AST-2014-001
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in
its
                           original, unaltered form.


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev



-- 
Sylvio Jollenbeck
www.hosannatecnologia.com.br
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20140310/05a7de1f/attachment.htm 


Mais detalhes sobre a lista de discussão AsteriskBrasil