<div dir="ltr">PSC<br><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Security Team</b> <span dir="ltr">&lt;<a href="mailto:security@asterisk.org">security@asterisk.org</a>&gt;</span><br>
Date: 2013/3/27<br>Subject: [asterisk-dev] AST-2013-002: Denial of Service in HTTP server<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br><br><br>               Asterisk Project Security Advisory - AST-2013-002<br>

<br>
          Product         Asterisk<br>
          Summary         Denial of Service in HTTP server<br>
     Nature of Advisory   Denial of Service<br>
       Susceptibility     Remote Unauthenticated Sessions<br>
          Severity        Major<br>
       Exploits Known     None<br>
        Reported On       January 21, 2013<br>
        Reported By       Christoph Hebeisen, TELUS Security Labs<br>
         Posted On        March 27, 2013<br>
      Last Updated On     March 27, 2013<br>
      Advisory Contact    Mark Michelson &lt;mmichelson AT digium DOT com&gt;<br>
          CVE Name        CVE-2013-2686<br>
<br>
   Description AST-2012-014 [1], fixed in January of this year, contained a<br>
               fix for Asterisk&#39;s HTTP server since it was susceptible to a<br>
               remotely-triggered crash.<br>
<br>
               The fix put in place fixed the possibility for the crash to be<br>
               triggered, but a possible denial of service still exists if an<br>
               attacker sends one or more HTTP POST requests with very large<br>
               Content-Length values.<br>
<br>
               [1]<br>
               <a href="http://downloads.asterisk.org/pub/security/AST-2012-014.html" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-014.html</a><br>
<br>
    Resolution  Content-Length is now capped at a maximum value of 1024<br>
                bytes. Any attempt to send an HTTP POST with content-length<br>
                greater than this cap will not result in any memory<br>
                allocated. The POST will be responded to with an HTTP 413<br>
                &quot;Request Entity Too Large&quot; response.<br>
<br>
                               Affected Versions<br>
           Product          Release Series<br>
    Asterisk Open Source         1.8.x        1.8.19.1, 1.8.20.0, 1.8.20.1<br>
    Asterisk Open Source         10.x         10.11.1, 10.12.0, 10.12.1<br>
    Asterisk Open Source         11.x         11.1.2, 11.2.0, 11.2.1<br>
     Certified Asterisk         1.8.15        1.8.15-cert1<br>
    Asterisk Digiumphones  10.x-digiumphones  10.11.1-digiumphones,<br>
                                              10.12.0-digiumphones,<br>
                                              10.12.1-digiumphones<br>
<br>
                                  Corrected In<br>
                 Product                              Release<br>
          Asterisk Open Source               1.8.20.2, 10.12.2, 11.2.2<br>
           Certified Asterisk                      1.8.15-cert2<br>
          Asterisk Digiumphones                10.12.2-digiumphones<br>
<br>
                                     Patches<br>
                                SVN URL                                  Revision<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.diff</a>         Asterisk<br>
                                                                         1.8<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-014-10.diff</a>          Asterisk<br>
                                                                         10<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-014-11.diff</a>          Asterisk<br>
                                                                         11<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.15-cert.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2012-014-1.8.15-cert.diff</a> Certified<br>
                                                                         Asterisk<br>
                                                                         1.8.15<br>
<br>
   +------------------------------------------------------------------------+<br>
   |  Links   | <a href="https://issues.asterisk.org/jira/browse/ASTERISK-20967" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-20967</a>      |<br>
   |          | <a href="http://telussecuritylabs.com/threats/show/TSL20130327-01" target="_blank">http://telussecuritylabs.com/threats/show/TSL20130327-01</a>    |<br>
   +------------------------------------------------------------------------+<br>
<br>
    Asterisk Project Security Advisories are posted at<br>
    <a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a><br>
<br>
    This document may be superseded by later versions; if so, the latest<br>
    version will be posted at<br>
    <a href="http://downloads.digium.com/pub/security/AST-2013-002.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2013-002.pdf</a> and<br>
    <a href="http://downloads.digium.com/pub/security/AST-2013-002.html" target="_blank">http://downloads.digium.com/pub/security/AST-2013-002.html</a><br>
<br>
                                Revision History<br>
            Date                  Editor               Revisions Made<br>
    February 12, 2013      Mark Michelson        Initial Draft<br>
    March 27, 2013         Matt Jordan           Updated CVE<br>
<br>
               Asterisk Project Security Advisory - AST-2013-002<br>
              Copyright (c) 2013 Digium, Inc. All Rights Reserved.<br>
  Permission is hereby granted to distribute and publish this advisory in its<br>
                           original, unaltered form.<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
   <a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div><br><br clear="all"><br>-- <br><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br>
<img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br>
</div></div>