Re: [SECURITY] [DSA 2550-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Moritz Please test/report, whether the packages located at http://people.debian.org/~jmm/ fix the problem for you. Could you please publish the source package as well? And is this going to go into squeeze-updates eventually? Cheers Daniel (@moritz: sry for double-posting...) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQYuUBAAoJEIWTgWPaKFdzzTgP+QFfFGoV832ZwcAmhxJvwGko UTh+q4m+HLnpZSmRMJMQsXD1yaL7aPxdX/ro0ZWlE7b4cKYnQJ50MVGvxyWI9OIG ENh1nemiVGvyCsbEKVQ6ockIbRllYT3IWjmaAmKu+/CmmbUjUFafEd/wgRvK5mDG 1C363bXDZla+8NblI/LJnvlvXoP6zt9sgmywdYlg4lZy/x7vo69sUbXXhvcA6f3h kKAqGlQwNdZN4Wc8PhmtQQyFDhK1MM3v+L7jEwgWpTdCMmByPGPiWDn21fQte6Dz joEeUbfRekHTKYKynEN41clfL7SIAyVOhTjt9HfRBss+TjquQ1yQdwt4MXTD8iKE 08XAmIge7mbOW7Edypc/dlHPLn3lxfI/M3kpOKfGL+16SpLRHCFoYzbBAzxF2ASi cWoayD74V/0mE0qWt58/m14ahAFQs6g5ypYKIm+AT2IxNGL9f8Z8XswE+Qm0MQTz qIrWXfe0UZ3lA5gh2ocNh9tVRbY78VtCBKgJKt3DtatBZUAJfyhGDMb0vowL6fp0 YKZnTeozW/fEc6IVuR38Xi19350JFdAlLUUYgeNdM7LFICJvbMFzBTFKXHtQgTgX 5ZsE/Z/WA8A8dUNo0OZ6ZikU+m8zrxYFgXwaYhPVrMcwRbhCDu30H2KSMGVOqoer FeQ0HGCxuE9rjgMO27nR =5J/q -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5062e501.7040...@nachtgeist.net
Re: [SECURITY] [DSA 2550-1] asterisk security update
On 09/24/2012 07:25 PM, Moritz Mühlenhoff wrote: On Wed, Sep 19, 2012 at 12:07:15PM +0200, Michael Kozma wrote: Le 19/09/2012 12:00, Cyril Brulebois a écrit : Michael, that should be “chan_sip” apparently? Yes, sorry, but i have the same issue than Herman : monitoring*CLI module load chan_sip Unable to load module chan_sip Command 'module load chan_sip' failed. [Sep 19 12:05:21] WARNING[2245]: loader.c:435 load_dynamic_module: Error loading module 'chan_sip': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full [Sep 19 12:05:21] WARNING[2245]: loader.c:801 load_resource: Module 'chan_sip' could not be loaded. Please test/report, whether the packages located at http://people.debian.org/~jmm/ fix the problem for you. Thanks, the server is running OK with these packages. -- Met vriendelijke groet / Regards, Herman van Rink Initfour websolutions signature.asc Description: OpenPGP digital signature
Re: [SECURITY] [DSA 2550-1] asterisk security update
Le 25/09/2012 08:24, Herman van Rink a écrit : On 09/24/2012 07:25 PM, Moritz Mühlenhoff wrote: On Wed, Sep 19, 2012 at 12:07:15PM +0200, Michael Kozma wrote: Le 19/09/2012 12:00, Cyril Brulebois a écrit : Michael, that should be “chan_sip” apparently? Yes, sorry, but i have the same issue than Herman : monitoring*CLI module load chan_sip Unable to load module chan_sip Command 'module load chan_sip' failed. [Sep 19 12:05:21] WARNING[2245]: loader.c:435 load_dynamic_module: Error loading module 'chan_sip': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full [Sep 19 12:05:21] WARNING[2245]: loader.c:801 load_resource: Module 'chan_sip' could not be loaded. Please test/report, whether the packages located at http://people.debian.org/~jmm/ fix the problem for you. Thanks, the server is running OK with these packages. It's ok for me too ;) Thanks -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/506169c8.3070...@kozma.fr
Re: [SECURITY] [DSA 2550-1] asterisk security update
On Wed, Sep 19, 2012 at 12:07:15PM +0200, Michael Kozma wrote: Le 19/09/2012 12:00, Cyril Brulebois a écrit : Michael, that should be “chan_sip” apparently? Yes, sorry, but i have the same issue than Herman : monitoring*CLI module load chan_sip Unable to load module chan_sip Command 'module load chan_sip' failed. [Sep 19 12:05:21] WARNING[2245]: loader.c:435 load_dynamic_module: Error loading module 'chan_sip': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full [Sep 19 12:05:21] WARNING[2245]: loader.c:801 load_resource: Module 'chan_sip' could not be loaded. Please test/report, whether the packages located at http://people.debian.org/~jmm/ fix the problem for you. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120924172550.GA7130@pisco.westfalen.local
Re: [SECURITY] [DSA 2550-1] asterisk security update
Le 24/09/2012 19:25, Moritz Mühlenhoff a écrit : On Wed, Sep 19, 2012 at 12:07:15PM +0200, Michael Kozma wrote: Le 19/09/2012 12:00, Cyril Brulebois a écrit : Michael, that should be “chan_sip” apparently? Yes, sorry, but i have the same issue than Herman : monitoring*CLI module load chan_sip Unable to load module chan_sip Command 'module load chan_sip' failed. [Sep 19 12:05:21] WARNING[2245]: loader.c:435 load_dynamic_module: Error loading module 'chan_sip': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full [Sep 19 12:05:21] WARNING[2245]: loader.c:801 load_resource: Module 'chan_sip' could not be loaded. Please test/report, whether the packages located at http://people.debian.org/~jmm/ fix the problem for you. Cheers, Moritz Hello, I have a 403 error when i try to download files :/ Thx -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5060b6a7.9050...@kozma.fr
Re: [SECURITY] [DSA 2550-1] asterisk security update
On Mon, Sep 24, 2012 at 09:38:15PM +0200, Michael Kozma wrote: Le 24/09/2012 19:25, Moritz Mühlenhoff a écrit : On Wed, Sep 19, 2012 at 12:07:15PM +0200, Michael Kozma wrote: Le 19/09/2012 12:00, Cyril Brulebois a écrit : Michael, that should be “chan_sip” apparently? Yes, sorry, but i have the same issue than Herman : monitoring*CLI module load chan_sip Unable to load module chan_sip Command 'module load chan_sip' failed. [Sep 19 12:05:21] WARNING[2245]: loader.c:435 load_dynamic_module: Error loading module 'chan_sip': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full [Sep 19 12:05:21] WARNING[2245]: loader.c:801 load_resource: Module 'chan_sip' could not be loaded. Please test/report, whether the packages located at http://people.debian.org/~jmm/ fix the problem for you. Cheers, Moritz Hello, I have a 403 error when i try to download files :/ Fixed. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120924223656.ga26...@inutil.org
Re: [SECURITY] [DSA 2550-1] asterisk security update
On 09/18/2012 11:40 PM, Michael Kozma wrote: Le 18/09/2012 19:18, Moritz Muehlenhoff a écrit : - Debian Security Advisory DSA-2550-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 18, 2012 http://www.debian.org/security/faq - Package: asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737 Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, allowing privilege escalation in the Asterisk Manager, denial of service or privilege escalation. More detailed information can be found in the Asterisk advisories: http://downloads.asterisk.org/pub/security/AST-2012-010.html http://downloads.asterisk.org/pub/security/AST-2012-011.html http://downloads.asterisk.org/pub/security/AST-2012-012.html http://downloads.asterisk.org/pub/security/AST-2012-013.html For the stable distribution (squeeze), these problems have been fixed in version 1:1.6.2.9-2+squeeze7. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1:1.8.13.1~dfsg-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org Hello, I have an error with my sip config since i have updated the asterisk package : monitoring*CLI module load sip Unable to load module sip Command 'module load sip' failed. [Sep 18 23:31:39] WARNING[7931]: loader.c:393 load_dynamic_module: Error loading module 'sip': /usr/lib/asterisk/modules/sip.so: cannot open shared object file: No such file or directory [Sep 18 23:31:39] WARNING[7931]: loader.c:801 load_resource: Module 'sip' could not be loaded. I had a similar issue after this update, but not exactly. [Sep 19 08:41:32] WARNING[8405] loader.c: Error loading module 'chan_sip.so': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full [Sep 19 08:41:32] WARNING[8405] loader.c: Module 'chan_sip.so' could not be loaded. I've installed the previous version as a quick-fix, but something seems to have gone wrong in the build. dpkg -i /var/cache/apt/archives/asterisk_1%3a1.6.2.9-2+squeeze6_i386.deb /var/cache/apt/archives/asterisk-config_1%3a1.6.2.9-2+squeeze6_all.deb /var/cache/apt/archives/asterisk-sounds-main_1%3a1.6.2.9-2+squeeze6_all.deb -- Met vriendelijke groet / Regards, Herman van Rink Initfour websolutions
Re: [SECURITY] [DSA 2550-1] asterisk security update
Hi.
Herman van Rink r...@initfour.nl (19/09/2012):
On 09/18/2012 11:40 PM, Michael Kozma wrote:
Hello,
I have an error with my sip config since i have updated the asterisk
package :
monitoring*CLI module load sip
Unable to load module sip
Command 'module load sip' failed.
[Sep 18 23:31:39] WARNING[7931]: loader.c:393 load_dynamic_module:
Error loading module 'sip': /usr/lib/asterisk/modules/sip.so: cannot
open shared object file: No such file or directory
[Sep 18 23:31:39] WARNING[7931]: loader.c:801 load_resource: Module
'sip' could not be loaded.
Michael, that should be “chan_sip” apparently?
I had a similar issue after this update, but not exactly.
[Sep 19 08:41:32] WARNING[8405] loader.c: Error loading module
'chan_sip.so': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol:
sip_pvt_lock_full
[Sep 19 08:41:32] WARNING[8405] loader.c: Module 'chan_sip.so' could not
be loaded.
Herman, probably a consequence of debian/patches/AST-2012-010:
+static int reinvite_timeout(const void *data)
+{
…
+ struct ast_channel *owner = sip_pvt_lock_full(dialog);
…
+}
Looks like the patch is missing the addition of that needed function.
Added team@ in the loop, to make sure they see this.
Mraw,
KiBi.
signature.asc
Description: Digital signature
Re: [SECURITY] [DSA 2550-1] asterisk security update
Le 19/09/2012 12:00, Cyril Brulebois a écrit : Michael, that should be “chan_sip” apparently? Yes, sorry, but i have the same issue than Herman : monitoring*CLI module load chan_sip Unable to load module chan_sip Command 'module load chan_sip' failed. [Sep 19 12:05:21] WARNING[2245]: loader.c:435 load_dynamic_module: Error loading module 'chan_sip': /usr/lib/asterisk/modules/chan_sip.so: undefined symbol: sip_pvt_lock_full [Sep 19 12:05:21] WARNING[2245]: loader.c:801 load_resource: Module 'chan_sip' could not be loaded. Thanks -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50599953.4010...@kozma.fr
Re: [SECURITY] [DSA 2550-1] asterisk security update
Le 18/09/2012 19:18, Moritz Muehlenhoff a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2550-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff September 18, 2012 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737 Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, allowing privilege escalation in the Asterisk Manager, denial of service or privilege escalation. More detailed information can be found in the Asterisk advisories: http://downloads.asterisk.org/pub/security/AST-2012-010.html http://downloads.asterisk.org/pub/security/AST-2012-011.html http://downloads.asterisk.org/pub/security/AST-2012-012.html http://downloads.asterisk.org/pub/security/AST-2012-013.html For the stable distribution (squeeze), these problems have been fixed in version 1:1.6.2.9-2+squeeze7. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1:1.8.13.1~dfsg-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBYrLoACgkQXm3vHE4uylqDBgCfTQnp2Z1XZSgJkg1L84SDPnjK muwAoOINdMCYMfcEc8spGQ7wrCWPKGaR =FRM+ -END PGP SIGNATURE- Hello, I have an error with my sip config since i have updated the asterisk package : monitoring*CLI module load sip Unable to load module sip Command 'module load sip' failed. [Sep 18 23:31:39] WARNING[7931]: loader.c:393 load_dynamic_module: Error loading module 'sip': /usr/lib/asterisk/modules/sip.so: cannot open shared object file: No such file or directory [Sep 18 23:31:39] WARNING[7931]: loader.c:801 load_resource: Module 'sip' could not be loaded. The sip.so file are missing : [root@monitoring:/home/michael]#file /usr/lib/asterisk/modules/sip.so /usr/lib/asterisk/modules/sip.so: ERROR: cannot open `/usr/lib/asterisk/modules/sip.so' (No such file or directory) These packages are updated by aptitude : [MIS A JOUR] asterisk 1:1.6.2.9-2+squeeze6 - 1:1.6.2.9-2+squeeze7 [MIS A JOUR] asterisk-config 1:1.6.2.9-2+squeeze6 - 1:1.6.2.9-2+squeeze7 [MIS A JOUR] asterisk-dev 1:1.6.2.9-2+squeeze6 - 1:1.6.2.9-2+squeeze7 [MIS A JOUR] asterisk-sounds-main 1:1.6.2.9-2+squeeze6 - 1:1.6.2.9-2+squeeze7 Thanks for your help. Michael -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5058ea56.1070...@kozma.fr
