CVE-2014-8413

NameCVE-2014-8413
DescriptionThe res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does not properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)jessie, jessie (lts)1:11.13.1~dfsg-2+deb8u8fixed
stretch (security)1:13.14.1~dfsg-2+deb9u6fixed
stretch (lts), stretch1:13.14.1~dfsg-2+deb9u10fixed
buster, buster (lts)1:16.28.0~dfsg-0+deb10u5fixed
buster (security)1:16.28.0~dfsg-0+deb10u4fixed
bullseye1:16.28.0~dfsg-0+deb11u4fixed
bullseye (security)1:16.28.0~dfsg-0+deb11u5fixed
sid1:22.1.0~dfsg+~cs6.14.60671435-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksourcesqueeze(not affected)
asterisksourcewheezy(not affected)
asterisksourcejessie(not affected)
asterisksource(unstable)1:13.1.0~dfsg-1

Notes

[jessie] - asterisk <not-affected> (PJSIP channel not available yet)
[wheezy] - asterisk <not-affected> (PJSIP channel not available yet)
[squeeze] - asterisk <not-affected> (PJSIP channel not available yet)
https://issues.asterisk.org/jira/browse/ASTERISK-24531
http://downloads.digium.com/pub/security/AST-2014-013.html

Search for package or bug name: Reporting problems