VDB
GCVE-110-MAGEIA-2014-490
GCVE-110-MAGEIA-2014-490
Advisory Published
Updated asterisk packages fix security vulnerabilities:
In Asterisk Open Source 11.x before 11.12.1, when an out of call message,
delivered by either the SIP or PJSIP channel driver or the XMPP stack, is
handled in Asterisk, a crash can occur if the channel servicing the message
is sent into the ReceiveFax dialplan application while using the
res_fax_spandsp module (CVE-2014-6610).
In Asterisk Open Source 11.x before 11.13.1, the res_jabber and res_xmpp
module both use SSLv3 exclusively, and are hence susceptible to
CVE-2014-3566, a.k.a. POODLE. Also, the core TLS handling, used by the
chan_sip channel driver, Asterisk Manager Interface (AMI), and the Asterisk
HTTP server, defaults to allowing SSLv3/SSLv2 fallback. This allows a MITM
to potentially force a connection to fallback to SSLv3, exposing it to the
POODLE vulnerability.
Asterisk has been updated to version 11.14.1, which fixes the CVE-2014-6610
issue, and in which it no longer uses SSLv3 for the res_jabber/res_xmpp
modules. Additionally, when the encryption method is not specified, the
default handling in the TLS core no longer allows for a fallback to SSLv3
or SSLv2. These changes mitigate the POODLE vulnerability.
Other security issues fixed in 11.14.1 include:
Mixed IP address families in access control lists may permit unwanted
traffic (AST-2014-012)
High call load may result in hung channels in ConfBridge (AST-2014-014).
Permission escalation through ConfBridge actions/dialplan functions
(AST-2014-017).
The DB dialplan function when executed from an external protocol (for
instance AMI), could result in a privilege escalation (AST-2014-018).
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | asterisk | 11.14.1-1.mga4 (unaffected), 0 (affected) | — |
| Mageia | asterisk | 11.14.1-1.mga3 (unaffected), 0 (affected) | — |
Aliases
References
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.