VoIP Mailing List Archives :: View topic - [asterisk-users] AST-2014-001: Stack Overflow in HTTP Processing of Cookie Headers.

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] AST-2014-001: Stack Overflow in HTTP Processing of Cookie Headers.

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

security at asterisk.org
Guest

Posted: Mon Mar 10, 2014 4:17 pm Post subject: [asterisk-users] AST-2014-001: Stack Overflow in HTTP Proces

Asterisk Project Security Advisory - AST-2014-001 Product Asterisk Summary Stack Overflow in HTTP Processing of Cookie Headers. Nature of Advisory Denial Of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate Exploits Known No Reported On February 21, 2014 Reported By Lucas Molas, researcher at Programa STIC, Fundacion Dr. Manuel Sadosky, Buenos Aires, Argentina Posted On March 10, 2014 Last Updated On March 10, 2014 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name CVE-2014-2286 Description Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request. Resolution The patched versions now handle headers in a fashion that prevents a stack overflow. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Certified Asterisk 1.8.x All versions Certified Asterisk 11.x All versions Corrected In Product Release Asterisk Open Source 1.8.26.1, 11.8.1, 12.1.1 Certified Asterisk 1.8.15-cert5, 11.6-cert2 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-001-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-001-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2014-001-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23340 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-001.pdf and http://downloads.digium.com/pub/security/AST-2014-001.html Revision History Date Editor Revisions Made 03/10/14 Richard Mudgett Initial Revision. Asterisk Project Security Advisory - AST-2014-001 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum