Executive Summary
Summary | |
---|---|
Title | asterisk security update |
Informations | |||
---|---|---|---|
Name | DSA-2835 | First vendor Publication | 2014-01-05 |
Vendor | Debian | Last vendor Modification | 2014-01-05 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Jan Juergens discovered a buffer overflow in the parser for SMS messages in Asterisk. An additional change was backported, which is fully described in http://downloads.asterisk.org/pub/security/AST-2013-007.html With the fix for AST-2013-007, a new configuration option was added in order to allow the system adminitrator to disable the expansion of "dangerous" functions (such as SHELL()) from any interface which is not the dialplan. In stable and oldstable this option is disabled by default. To enable it add the following line to the section '[options]' in /etc/asterisk/asterisk.conf (and restart asterisk) live_dangerously = no For the oldstable distribution (squeeze), this problem has been fixed in version 1:1.6.2.9-2+squeeze12. For the stable distribution (wheezy), this problem has been fixed in version 1:1.8.13.1~dfsg1-3+deb7u3. For the testing distribution (jessie), this problem has been fixed in version 1:11.7.0~dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1:11.7.0~dfsg-1. We recommend that you upgrade your asterisk packages. |
Original Source
Url : http://www.debian.org/security/2014/dsa-2835 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20939 | |||
Oval ID: | oval:org.mitre.oval:def:20939 | ||
Title: | DSA-2835-1 asterisk - buffer overflow | ||
Description: | Jan Juergens discovered a buffer overflow in the parser for SMS messages in Asterisk. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2835-1 CVE-2013-7100 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | asterisk |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-01-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-15.nasl - Type : ACT_GATHER_INFO |
2014-01-09 | Name : The remote Fedora host is missing a security update. File : fedora_2013-24108.nasl - Type : ACT_GATHER_INFO |
2014-01-09 | Name : The remote Fedora host is missing a security update. File : fedora_2013-24119.nasl - Type : ACT_GATHER_INFO |
2014-01-09 | Name : The remote Fedora host is missing a security update. File : fedora_2013-24142.nasl - Type : ACT_GATHER_INFO |
2014-01-08 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2835.nasl - Type : ACT_GATHER_INFO |
2013-12-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-300.nasl - Type : ACT_GATHER_INFO |
2013-12-19 | Name : A telephony application running on the remote host is affected by multiple vu... File : asterisk_ast_2013_007.nasl - Type : ACT_GATHER_INFO |
2013-12-18 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_0c39bafc677111e3868f0025905a4771.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:32:28 |
|
2014-01-05 21:19:05 |
|