[AsteriskBrasil] Fwd: [asterisk-dev] AST-2013-002: Denial of Service in HTTP server
Sylvio Jollenbeck
sylvio.jollenbeck em gmail.com
Quarta Março 27 19:55:24 BRT 2013
PSC
---------- Forwarded message ----------
From: Asterisk Security Team <security em asterisk.org>
Date: 2013/3/27
Subject: [asterisk-dev] AST-2013-002: Denial of Service in HTTP server
To: asterisk-dev em lists.digium.com
Asterisk Project Security Advisory - AST-2013-002
Product Asterisk
Summary Denial of Service in HTTP server
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Major
Exploits Known None
Reported On January 21, 2013
Reported By Christoph Hebeisen, TELUS Security Labs
Posted On March 27, 2013
Last Updated On March 27, 2013
Advisory Contact Mark Michelson <mmichelson AT digium DOT com>
CVE Name CVE-2013-2686
Description AST-2012-014 [1], fixed in January of this year, contained a
fix for Asterisk's HTTP server since it was susceptible to a
remotely-triggered crash.
The fix put in place fixed the possibility for the crash to
be
triggered, but a possible denial of service still exists if
an
attacker sends one or more HTTP POST requests with very large
Content-Length values.
[1]
http://downloads.asterisk.org/pub/security/AST-2012-014.html
Resolution Content-Length is now capped at a maximum value of 1024
bytes. Any attempt to send an HTTP POST with content-length
greater than this cap will not result in any memory
allocated. The POST will be responded to with an HTTP 413
"Request Entity Too Large" response.
Affected Versions
Product Release Series
Asterisk Open Source 1.8.x 1.8.19.1, 1.8.20.0, 1.8.20.1
Asterisk Open Source 10.x 10.11.1, 10.12.0, 10.12.1
Asterisk Open Source 11.x 11.1.2, 11.2.0, 11.2.1
Certified Asterisk 1.8.15 1.8.15-cert1
Asterisk Digiumphones 10.x-digiumphones 10.11.1-digiumphones,
10.12.0-digiumphones,
10.12.1-digiumphones
Corrected In
Product Release
Asterisk Open Source 1.8.20.2, 10.12.2, 11.2.2
Certified Asterisk 1.8.15-cert2
Asterisk Digiumphones 10.12.2-digiumphones
Patches
SVN URL
Revision
http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff
Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff
Asterisk
10
http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff
Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.15-cert.diffCertified
Asterisk
1.8.15
+------------------------------------------------------------------------+
| Links | https://issues.asterisk.org/jira/browse/ASTERISK-20967
|
| | http://telussecuritylabs.com/threats/show/TSL20130327-01
|
+------------------------------------------------------------------------+
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2013-002.pdf and
http://downloads.digium.com/pub/security/AST-2013-002.html
Revision History
Date Editor Revisions Made
February 12, 2013 Mark Michelson Initial Draft
March 27, 2013 Matt Jordan Updated CVE
Asterisk Project Security Advisory - AST-2013-002
Copyright (c) 2013 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in
its
original, unaltered form.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
--
Sylvio Jollenbeck
www.hosannatecnologia.com.br
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20130327/058bac70/attachment.htm
Mais detalhes sobre a lista de discussão AsteriskBrasil