<div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: "Asterisk Security Team" <<a href="mailto:security@asterisk.org">security@asterisk.org</a>><br>Data: 28/01/2015 21:31<br>Assunto: [asterisk-dev] AST-2015-001: File descriptor leak when incompatible codecs are offered<br>Para: <<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>><br>Cc: <br><br type="attribution"> Asterisk Project Security Advisory - AST-2015-001<br>
<br>
Product Asterisk<br>
Summary File descriptor leak when incompatible codecs are<br>
offered<br>
Nature of Advisory Resource exhaustion<br>
Susceptibility Remote Authenticated Sessions<br>
Severity Major<br>
Exploits Known No<br>
Reported On 6 January, 2015<br>
Reported By Y Ateya<br>
Posted On 9 January, 2015<br>
Last Updated On January 28, 2015<br>
Advisory Contact Mark Michelson <mmichelson AT digium DOT com><br>
CVE Name Pending<br>
<br>
Description Asterisk may be configured to only allow specific audio or<br>
video codecs to be used when communicating with a<br>
particular endpoint. When an endpoint sends an SDP offer<br>
that only lists codecs not allowed by Asterisk, the offer<br>
is rejected. However, in this case, RTP ports that are<br>
allocated in the process are not reclaimed.<br>
<br>
This issue only affects the PJSIP channel driver in<br>
Asterisk. Users of the chan_sip channel driver are not<br>
affected.<br>
<br>
As the resources are allocated after authentication, this<br>
issue only affects communications with authenticated<br>
endpoints.<br>
<br>
Resolution The reported leak has been patched.<br>
<br>
Affected Versions<br>
Product Release<br>
Series<br>
Asterisk Open Source 1.8.x Unaffected<br>
Asterisk Open Source 11.x Unaffected<br>
Asterisk Open Source 12.x All versions<br>
Asterisk Open Source 13.x All versions<br>
Certified Asterisk 1.8.28 Unaffected<br>
Certified Asterisk 11.6 Unaffected<br>
<br>
Corrected In<br>
Product Release<br>
Asterisk Open Source 12.8.1, 13.1.1<br>
<br>
Patches<br>
SVN URL Revision<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-001-12.diff</a> Asterisk<br>
12<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-001-13.diff</a> Asterisk<br>
13<br>
<br>
Links <a href="https://issues.asterisk.org/jira/browse/ASTERISK-24666" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-24666</a><br>
<br>
Asterisk Project Security Advisories are posted at<br>
<a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a><br>
<br>
This document may be superseded by later versions; if so, the latest<br>
version will be posted at<br>
<a href="http://downloads.digium.com/pub/security/AST-2015-001.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2015-001.pdf</a> and<br>
<a href="http://downloads.digium.com/pub/security/AST-2015-001.html" target="_blank">http://downloads.digium.com/pub/security/AST-2015-001.html</a><br>
<br>
Revision History<br>
Date Editor Revisions Made<br>
9 January, 2015 Mark Michelson Initial creation<br>
<br>
Asterisk Project Security Advisory - AST-2015-001<br>
Copyright (c) 2015 Digium, Inc. All Rights Reserved.<br>
Permission is hereby granted to distribute and publish this advisory in its<br>
original, unaltered form.<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div>