New User, Welcome!     Login

Next Page >>

open source

AST-2009-008: SIP responses expose valid usernames

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | All versions prior to 1.2.35    |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to 1.4.26.3  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.0.x | All versions prior to 1.6.0.17  |
   |----------------------------+---------+---------------------------------|

AST-2012-002: Remote Crash Vulnerability in Milliwatt Application

                "Corrected In" section, or apply a patch specified in the     
                "Patches" section.                                            

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source            1.4.x       All Versions             
         Asterisk Open Source           1.6.2.x      All Versions             
         Asterisk Open Source            1.8.x       All Versions             
         Asterisk Open Source             10.x       All Versions             

                                  Corrected In

AST-2009-005: Remote Crash Vulnerability in SIP channel driver

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |  Release   |                              |
   |                            |   Series   |                              |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.2.x    | All versions prior to 1.2.34 |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.4.x    | All versions prior to        |
   |                            |            | 1.4.26.1                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.0.x   | All versions prior to        |

AST-2009-006: IAX2 Call Number Resource Exhaustion

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.2.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.4.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.6.x      | All versions       |
   |----------------------------------+----------------+--------------------|

AST-2009-002: Remote Crash Vulnerability in SIP channel driver

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Not affected                    |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | Versions 1.4.22, 1.4.23,        |
   |                            |         | 1.4.23.1                        |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.0.x | All versions prior to 1.6.0.6   |

AST-2009-010: RTP Remote Crash Vulnerability

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.2.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.4.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.6.x      | All versions       |
   |----------------------------------+----------------+--------------------|

project announcement - oCERT - Open Source CERT

Hi everyone,

we are pleased to announce a new project called oCERT, the Open Source
Computer Emergency Response Team.

The oCERT project is a public effort providing security handling support to
Open Source projects affected by security incidents or vulnerabilities, just
like national CERTs offer services for their respective countries.

AST-2009-009: Cross-site AJAX request vulnerability

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | Unaffected                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to 1.4.26.3  |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    | 1.6.0.x | All versions prior to 1.6.0.17  |
   |----------------------------+---------+---------------------------------|

AST-2009-001: Information leak in IAX2 authentication

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           | Release |                                 |
   |                            | Series  |                                 |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.2.x  | All version prior to 1.2.31     |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.4.x  | All versions prior to           |
   |                            |         | 1.4.23-rc4                      |
   |----------------------------+---------+---------------------------------|
   |    Asterisk Open Source    |  1.6.x  | All versions prior to           |

AST-2009-003: SIP responses expose valid usernames

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |  Release   |                              |
   |                            |   Series   |                              |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.2.x    | All versions prior to 1.2.32 |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |   1.4.x    | All versions prior to        |
   |                            |            | 1.4.24.1                     |
   |----------------------------+------------+------------------------------|
   |    Asterisk Open Source    |  1.6.0.x   | All versions prior to        |

AST-2007-027 - Database matching order permits host-based authentication to be ignored

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | All versions prior to       |
   |                            |             | 1.2.26                      |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | All versions prior to       |

AST-2008-006 - 3-way handshake in IAX2 incomplete

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product            |  Release   |                           |
   |                               |   Series   |                           |
   |-------------------------------+------------+---------------------------|
   |     Asterisk Open Source      |   1.0.x    | All versions              |
   |-------------------------------+------------+---------------------------|
   |     Asterisk Open Source      |   1.2.x    | All versions prior to     |
   |                               |            | 1.2.28                    |
   |-------------------------------+------------+---------------------------|
   |     Asterisk Open Source      |   1.4.x    | All versions prior to     |

AST-2011-006: Asterisk Manager User Shell Access

   Resolution Asterisk now performs the proper access check where appropriate 
              during the originate manager action.                            

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source           1.6.1.x     All versions              
         Asterisk Open Source           1.6.2.x     All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions

AST-2008-005: HTTP Manager ID is predictable

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |          Product           |   Release   |                             |
   |                            |   Series    |                             |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.0.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.2.x    | Not affected                |
   |----------------------------+-------------+-----------------------------|
   |    Asterisk Open Source    |    1.4.x    | All versions prior to       |
   |                            |             | 1.4.19-rc3                  |

Security, Open Source Style

Today we are excited to announce another community initiative--the Open
Source Software Security community (oss-security). This project is an
ongoing effort to manage security information in Open Source software by
building on the collaborative foundation of the open source model.

The purpose of oss-security is to encourage public discussion of security
flaws, concepts, and practices in the open source community.  We don't want
to simply be an information clearinghouse, or to replace any of the current
security lists and groups.  The goal is to fill an existing vacuum by
encouraging active participation of those interested in the ideas and

Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts

1 Methodology
____________________________________________________
For our analysis we used popular and well known PHP forum scripts with file
uploading functions. We did not survey scripts like bbPress and Vanilla,
which require plugins for file uploading.
In Open Source scripts, we analysed the code to find out about the
safeguards in
place; the closed source scripts vB and WBB* were not analysed on the
source-code
level.
We notified all vendors on April 30th. Vendors, who had not replied,

VamCart v0.9 CMS - Multiple Web Vulnerabilities

4


Introduction:
=============
VamCart is a Free, Open Source, CakePHP Based Shopping Cart Content Management System. VamCart is a  Open Source Project under 
the GNU GPL license with the following features ... 

    Easy Installation.
    SEO - Search Engine Optimization.
    Unlimited Categories, Products.

AST-2008-011: Traffic amplification in IAX2 firmware provisioning system

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.30                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |

AST-2011-005: File Descriptor Resource Exhaustion

              systems can be protected by disabling the vulnerable services   
              in their respective configuration files.                        

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source           1.6.1.x     All versions              
         Asterisk Open Source           1.6.2.x     All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions

AST-2008-010: Asterisk IAX 'POKE' resource exhaustion

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release   |                       |
   |                                  |   Series    |                       |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.0.x    | All versions          |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.2.x    | All versions prior to |
   |                                  |             | 1.2.30                |
   |----------------------------------+-------------+-----------------------|
   |       Asterisk Open Source       |    1.4.x    | All versions prior to |

AST-2011-001: Stack buffer overflow in SIP channel driver

              strings passed to the URIENCODE dialplan function should be     
              limited in this manner.                                         

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.2.x      All versions              
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source            1.6.x      All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              
              AsteriskNOW                 1.5       All versions

AST-2007-026 - SQL Injection issue in cdr_pgsql

   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              |   Release    |                      |
   |                                  |    Series    |                      |
   |----------------------------------+--------------+----------------------|
   |       Asterisk Open Source       |    1.0.x     | All versions         |
   |----------------------------------+--------------+----------------------|
   |       Asterisk Open Source       |    1.2.x     | 1.2.24 and previous  |
   |----------------------------------+--------------+----------------------|
   |       Asterisk Open Source       |    1.4.x     | 1.4.14 and previous  |
   |----------------------------------+--------------+----------------------|

AST-2013-003: Username disclosure in SIP channel driver

    Resolution  This issue can only be mitigated by upgrading to versions of  
                Asterisk that contain the patch or applying the patch.        

                               Affected Versions
                Product                Release Series    
          Asterisk Open Source              1.8.x        All Versions         
          Asterisk Open Source              10.x         All Versions         
          Asterisk Open Source              11.x         All Versions         
           Certified Asterisk              1.8.15        All Versions         
       Asterisk Business Edition            C.3.x        All Versions         
         Asterisk Digiumphones        10.x-digiumphones  All Versions

[oCERT-2009-014] Android denial-of-service issues

#2009-014 Android denial-of-service issues

Description:

Android, an open source mobile phone platform, is affected by two bugs
that lead to denial-of-service (DoS) conditions.

Two separate DoS issues have been independently reported to oCERT.

The most recent report concerns Android handling of SMS messages: a

AST-2012-004: Asterisk Manager User Unauthorized Shell Access

    Resolution  Asterisk now performs checks against manager commands that    
                cause these behaviors for each of the affected actions.       

                               Affected Versions
                 Product               Release Series  
          Asterisk Open Source            1.6.2.x      All versions           
          Asterisk Open Source             1.8.x       All versions           
          Asterisk Open Source              10.x       All versions           
        Asterisk Business Edition          C.3.x       All versions           

                                  Corrected In

AST-2011-011: Possible enumeration of SIP users due to differing authentication responses

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.4.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |    1.6.2.x     | All versions       |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.8.x      | All versions       |
   |----------------------------------+----------------+--------------------|

[oCERT-2009-003] LittleCMS integer errors

#2009-003 LittleCMS integer errors

Description:

LittleCMS, an open source color management engine, suffers from several
integer errors, resulting in stack based buffer overflows and various heap
errors as well as dangerous memory leaks. Decoding a specially crafted
image file will result in unexpected process termination, Denial Of
Service conditions or arbitrary code execution due to stack overflow.

AST-2007-021: Crash from invalid/corrupted MIME bodies when using voicemail with IMAP storage

   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   | Resolution | Since this is a minor issue, a new release is not         |
   |            | immediately planned. However, the issue will be fixed in  |
   |            | Asterisk Open Source version 1.4.12 when it is released.  |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|

AST-2009-007: ACL not respected on SIP INVITE

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |            Product            | Release Series |                       |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.2.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.4.x      | Unaffected            |
   |-------------------------------+----------------+-----------------------|
   |     Asterisk Open Source      |     1.6.x      | All 1.6.1 versions    |
   |-------------------------------+----------------+-----------------------|

AST-2010-001: T.38 Remote Crash Vulnerability

   +------------------------------------------------------------------------+
   |                           Affected Versions                            |
   |------------------------------------------------------------------------|
   |             Product              | Release Series |                    |
   |----------------------------------+----------------+--------------------|
   |       Asterisk Open Source       |     1.6.x      | All versions       |
   |----------------------------------+----------------+--------------------|
   |    Asterisk Business Edition     |      C.3       | All versions       |
   +------------------------------------------------------------------------+

   +------------------------------------------------------------------------+
Next Page>>

Copyright © 1995-2013 LinuxRocket.net. All rights reserved.

Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!