<div class="gmail_quote">---------- Mensagem encaminhada ----------<br>De: &quot;Asterisk Security Team&quot; &lt;<a href="mailto:security@asterisk.org">security@asterisk.org</a>&gt;<br>Data: 28/01/2015 21:32<br>Assunto: [asterisk-dev] AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability<br>Para:  &lt;<a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a>&gt;<br>Cc: <br><br type="attribution">               Asterisk Project Security Advisory - AST-2015-002<br>
<br>
         Product        Asterisk<br>
         Summary        Mitigation for libcURL HTTP request injection<br>
                        vulnerability<br>
    Nature of Advisory  HTTP request injection<br>
      Susceptibility    Remote Authenticated Sessions<br>
         Severity       Major<br>
      Exploits Known    No<br>
       Reported On      12 January, 2015<br>
       Reported By      Olle Johansson<br>
        Posted On       January 12, 2015<br>
     Last Updated On    January 28, 2015<br>
     Advisory Contact   Mark Michelson &lt;mmichelson AT digium DOT com&gt;<br>
         CVE Name       N/A.<br>
<br>
    Description  CVE-2014-8150 reported an HTTP request injection<br>
                 vulnerability in libcURL. Asterisk uses libcURL in its<br>
                 func_curl.so module (the CURL() dialplan function), as well<br>
                 as its res_config_curl.so (cURL realtime backend) modules.<br>
<br>
                 Since Asterisk may be configured to allow for user-supplied<br>
                 URLs to be passed to libcURL, it is possible that an<br>
                 attacker could use Asterisk as an attack vector to inject<br>
                 unauthorized HTTP requests if the version of libcURL<br>
                 installed on the Asterisk server is affected by<br>
                 CVE-2014-8150.<br>
<br>
    Resolution  Asterisk has been patched with a similar patch as libcURL<br>
                was for CVE-2014-8150. This means that carriage return and<br>
                linefeed characters are forbidden from being in HTTP URLs<br>
                that will be passed to libcURL.<br>
<br>
                               Affected Versions<br>
                         Product                       Release<br>
                                                       Series<br>
                   Asteris Open Source                  1.8.x   All versions<br>
                  Asterisk Open Source                  11.x    All versions<br>
                  Asterisk Open Source                  12.x    All versions<br>
                  Asterisk Open Source                  13.x    All versions<br>
                   Certified Asterisk                  1.8.28   All versions<br>
                   Certified Asterisk                   11.6    All versions<br>
<br>
                                  Corrected In<br>
          Product                              Release<br>
    Asterisk Open Source          1.8.32.2, 11.15.1, 12.8.1, 13.1.1<br>
     Certified Asterisk               1.8.28-cert4, 11.6-cert10<br>
<br>
                                      Patches<br>
                                 SVN URL                               Revision<br>
   <a href="http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.28.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.28.diff</a> Certified<br>
                                                                       Asterisk<br>
                                                                       1.8.28<br>
   <a href="http://downloads.asterisk.org/pub/security/AST-2015-002-11.6.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002-11.6.diff</a>   Certified<br>
                                                                       Asterisk<br>
                                                                       11.6<br>
   <a href="http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002-1.8.diff</a>    Asterisk<br>
                                                                       1.8<br>
   <a href="http://downloads.asterisk.org/pub/security/AST-2015-002-11.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002-11.diff</a>     Asterisk<br>
                                                                       11<br>
   <a href="http://downloads.asterisk.org/pub/security/AST-2015-002-12.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002-12.diff</a>     Asterisk<br>
                                                                       12<br>
   <a href="http://downloads.asterisk.org/pub/security/AST-2015-002-13.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2015-002-13.diff</a>     Asterisk<br>
                                                                       13<br>
<br>
    Links  <a href="https://issues.asterisk.org/jira/browse/ASTERISK-24676" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-24676</a><br>
<br>
    Asterisk Project Security Advisories are posted at<br>
    <a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a><br>
<br>
    This document may be superseded by later versions; if so, the latest<br>
    version will be posted at<br>
    <a href="http://downloads.digium.com/pub/security/AST-2015-002.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2015-002.pdf</a> and<br>
    <a href="http://downloads.digium.com/pub/security/AST-2015-002.html" target="_blank">http://downloads.digium.com/pub/security/AST-2015-002.html</a><br>
<br>
                                Revision History<br>
          Date            Editor                  Revisions Made<br>
    21 January, 2015  Mark Michelson  Initial creation of document<br>
<br>
               Asterisk Project Security Advisory - AST-2015-002<br>
              Copyright (c) 2015 Digium, Inc. All Rights Reserved.<br>
  Permission is hereby granted to distribute and publish this advisory in its<br>
                           original, unaltered form.<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
   <a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</div>