FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 11:22:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
1c0def84-5fb1-11db-b2e9-0008c79fa3d2asterisk -- remote heap overwrite vulnerability

Adam Boileau of Security-Assessment.com reports:

The Asterisk Skinny channel driver for Cisco SCCP phones (chan_skinny.so) incorrectly validates a length value in the packet header. An integer wrap-around leads to heap overwrite, and arbitrary remote code execution as root.


Discovery 2006-10-17
Entry 2006-10-20
asterisk
asterisk-bristuff
< 1.2.13

http://www.security-assessment.com/files/advisories/Asterisk_remote_heap_overflow.pdf
http://marc.theaimsgroup.com/?l=bugtraq&m=116121567530170
27c331d5-64c7-11d8-80e3-0020ed76ef5aVulnerabilities in H.323 implementations

The NISCC and the OUSPG developed a test suite for the H.323 protocol. This test suite has uncovered vulnerabilities in several H.323 implementations with impacts ranging from denial-of-service to arbitrary code execution.

In the FreeBSD Ports Collection, `pwlib' is directly affected. Other applications such as `asterisk' and `openh323' incorporate `pwlib' statically and so are also independently affected.


Discovery 2004-01-13
Entry 2004-02-22
Modified 2004-06-08
pwlib
< 1.5.0_5

asterisk
le 0.7.2

openh323
< 1.12.0_4

http://www.uniras.gov.uk/vuls/2004/006489/h323.htm
http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.html
CA-2004-01
749342
CVE-2004-0097
http://www.southeren.com/blog/archives/000055.html
4c1ac2dd-c788-11e1-be25-14dae9ebcf89asterisk -- multiple vulnerabilities

Asterisk project reports:

Possible resource leak on uncompleted re-invite transactions.

Remote crash vulnerability in voice mail application.


Discovery 2012-07-05
Entry 2012-07-06
Modified 2012-08-30
asterisk
gt 10.* lt 10.5.2

asterisk18
gt 1.8.* lt 1.8.13.1

CVE-2012-3812
http://downloads.digium.com/pub/security/AST-2012-010.html
http://downloads.digium.com/pub/security/AST-2012-011.html
https://www.asterisk.org/security
4c53f007-f2ed-11e1-a215-14dae9ebcf89asterisk -- multiple vulnerabilities

Asterisk project reports:

Asterisk Manager User Unauthorized Shell Access

ACL rules ignored when placing outbound calls by certain IAX2 users


Discovery 2012-08-30
Entry 2012-08-30
asterisk
gt 10.* lt 10.7.1

asterisk18
gt 1.8.* lt 1.8.15.1

CVE-2012-2186
CVE-2012-4737
http://downloads.digium.com/pub/security/AST-2012-012.html
http://downloads.digium.com/pub/security/AST-2012-013.html
https://www.asterisk.org/security
559f3d1b-cb1d-11e5-80a4-001999f8d30basterisk -- Multiple vulnerabilities

The Asterisk project reports:

AST-2016-001 - BEAST vulnerability in HTTP server

AST-2016-002 - File descriptor exhaustion in chan_sip

AST-2016-003 - Remote crash vulnerability when receiving UDPTL FAX data


Discovery 2016-02-03
Entry 2016-02-04
Modified 2016-03-07
asterisk
< 1.8.32.3_5

asterisk11
< 11.21.1

asterisk13
< 13.7.1

http://downloads.asterisk.org/pub/security/AST-2016-001.html
CVE-2011-3389
http://downloads.asterisk.org/pub/security/AST-2016-002.html
CVE-2016-2316
http://downloads.asterisk.org/pub/security/AST-2016-003.html
CVE-2016-2232
5fee3f02-de37-11e4-b7c3-001999f8d30basterisk -- TLS Certificate Common name NULL byte exploit

The Asterisk project reports:

When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com


Discovery 2015-04-04
Entry 2015-04-08
asterisk
< 1.8.32.3

asterisk11
< 11.17.1

asterisk13
< 13.3.2

http://downloads.asterisk.org/pub/security/AST-2015-003.html
CVE-2015-3008
7656fc62-a7a7-11e4-96ba-001999f8d30basterisk -- Mitigation for libcURL HTTP request injection vulnerability

The Asterisk project reports:

CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules.

Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150.


Discovery 2015-01-12
Entry 2015-01-29
asterisk
< 1.8.32.2

asterisk11
< 11.15.1

asterisk13
< 13.1.1

http://downloads.asterisk.org/pub/security/AST-2015-002.html
76c7a0f5-5928-11e4-adc7-001999f8d30basterisk -- Asterisk Susceptibility to POODLE Vulnerability

The Asterisk project reports:

The POODLE vulnerability is described under CVE-2014-3566. This advisory describes the Asterisk's project susceptibility to this vulnerability.


Discovery 2014-10-20
Entry 2014-10-21
asterisk
< 1.8.31.1

asterisk11
< 11.13.1

http://downloads.asterisk.org/pub/security/AST-2014-011.html
CVE-2014-3566
8b683bea-d49c-11da-a672-000e0c2e438aasterisk -- denial of service vulnerability, local system access

Emmanouel Kellenis reports a denial of service vulnerability within asterisk. The vulnerability is caused by a buffer overflow in "format_jpeg.c". A large JPEG image could trigger this bug, potentially allowing a local attacker to execute arbitrary code.


Discovery 2006-04-07
Entry 2006-04-25
asterisk
< 1.2.7

17561
CVE-2006-1827
http://www.cipher.org.uk/index.php?p=advisories/Asterisk_Codec_Integer_Overflow_07-04-2006.advisory
a92ed304-716c-11e4-b008-001999f8d30basterisk -- Multiple vulnerabilities

The Asterisk project reports:

AST-2014-012 - Mixed IP address families in access control lists may permit unwanted traffic.

AST-2014-018 - AMI permission escalation through DB dialplan function.


Discovery 2014-11-21
Entry 2014-11-21
asterisk
< 1.8.32.1

asterisk11
< 11.14.1

http://downloads.asterisk.org/pub/security/AST-2014-012.html
CVE-2014-8412
http://downloads.asterisk.org/pub/security/AST-2014-018.html
CVE-2014-8418
a95092a6-f8f1-11e0-a7ea-00215c6a37bbasterisk -- remote crash vulnerability in SIP channel driver

Asterisk project reports:

A remote authenticated user can cause a crash with a malformed request due to an unitialized variable.


Discovery 2011-10-17
Entry 2011-10-17
asterisk18
gt 1.8.* lt 1.8.7.1

asterisk
gt 10.0.0.* lt 10.0.0.r1

CVE-2011-4063