1
Candidate: CVE-2015-3008
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3008
5
http://downloads.asterisk.org/pub/security/AST-2015-003.html
6
https://issues.asterisk.org/jira/browse/ASTERISK-24847
7
http://www.securitytracker.com/id/1032052
8
http://seclists.org/fulldisclosure/2015/Apr/22
9
http://packetstormsecurity.com/files/131364/Asterisk-Project-Security-Advisory-AST-2015-003.html
11
Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before
12
12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before
13
1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when
14
registering a SIP TLS device, does not properly handle a null byte in a
15
domain name in the subject's Common Name (CN) field of an X.509
16
certificate, which allows man-in-the-middle attackers to spoof arbitrary
17
SSL servers via a crafted certificate issued by a legitimate Certification
23
Discovered-by: Maciej Szmigiero
27
upstream: http://downloads.asterisk.org/pub/security/AST-2015-003-1.8.diff
28
upstream: http://downloads.asterisk.org/pub/security/AST-2015-003-11.diff
29
upstream: http://downloads.asterisk.org/pub/security/AST-2015-003-13.diff
30
upstream_asterisk: released (1.8.32.3, 11.17.1, 13.3.2)
31
lucid_asterisk: ignored (reached end-of-life)
32
precise_asterisk: ignored (reached end-of-life)
33
precise/esm_asterisk: DNE (precise was needed)
34
trusty_asterisk: needed
35
utopic_asterisk: ignored (reached end-of-life)
36
vivid_asterisk: ignored (reached end-of-life)
37
vivid/stable-phone-overlay_asterisk: DNE
38
vivid/ubuntu-core_asterisk: DNE
39
wily_asterisk: ignored (reached end-of-life)
40
xenial_asterisk: needed
41
yakkety_asterisk: ignored (reached end-of-life)
42
zesty_asterisk: ignored (reached end-of-life)
43
artful_asterisk: needed
44
bionic_asterisk: needed
45
devel_asterisk: needed