Category Archives: Advisories

Certified Asterisk Security Release certified-18.9-cert13

Read Time:22 Second

Posted by Asterisk Development Team via Fulldisclosure on Jan 15

The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert13.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert13
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-18.9-cert13

## Change Log for Release asterisk-certified-18.9-cert13

###…

Read More

Asterisk Security Release 22.1.1

Read Time:22 Second

Posted by Asterisk Development Team via Fulldisclosure on Jan 15

The Asterisk Development Team would like to announce security release
Asterisk 22.1.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.1.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.1.1

## Change Log for Release asterisk-22.1.1

### Links:

– [Full ChangeLog](…

Read More

Asterisk Security Release 18.26.1

Read Time:22 Second

Posted by Asterisk Development Team via Fulldisclosure on Jan 15

The Asterisk Development Team would like to announce security release
Asterisk 18.26.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.26.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 18.26.1

## Change Log for Release asterisk-18.26.1

### Links:

– [Full ChangeLog](…

Read More

[asterisk-dev] Asterisk Security Release 21.6.1

Read Time:21 Second

Posted by Asterisk Development Team on Jan 15

The Asterisk Development Team would like to announce security release
Asterisk 21.6.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.6.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.6.1

## Change Log for Release asterisk-21.6.1

### Links:

– [Full ChangeLog](…

Read More

[asterisk-dev] Asterisk Security Release 20.11.1

Read Time:21 Second

Posted by Asterisk Development Team on Jan 15

The Asterisk Development Team would like to announce security release
Asterisk 20.11.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.11.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.11.1

## Change Log for Release asterisk-20.11.1

### Links:

– [Full ChangeLog](…

Read More

Rsync File Synchronization Tool Vulnerabilities

Read Time:1 Minute, 15 Second

What are the Vulnerabilities?Six security vulnerabilities have been disclosed in the popular Rsync tool, an open-source file synchronization and data transferring tool utilized for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. Several popular backup software such as Rclone, DeltaCopy, and ChronoSync use Rsync for file synchronization. The vulnerabilities are present within versions 3.3.0 and below and includes heap-buffer overflow, information disclosure, file leak, external directory file-write, and symbolic-link race condition. CVE-2024-12084- Heap-buffer overflow in Rsync due to improper checksum length handling CVE-2024-12085- Information leak via uninitialized stack contents CVE-2024-12086- Rsync server leaks arbitrary client files CVE-2024-12087- Path traversal vulnerability in Rsync CVE-2024-12088- Safe-links option bypass that leads to path traversal CVE-2024-12747- Race condition in Rsync when handling symbolic linksCERT/CC also mentioned that an attacker could combine CVE-2024-12084 and CVE-2024-12085 to achieve arbitrary code execution on a client that has a Rsync server running. Read more at VU#952657What is the recommended Mitigation?Users are advised to apply the latest patches available at GitHub – RsyncProjectWhat FortiGuard Coverage is available?FortiGuard recommends users to apply the fix provided by the vendor and follow any mitigation as mentioned on VU#952657FortiGuard protection is being reviewed, and this Threat Signal will be updated accordingly as it becomes available.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

Read More

USN-7173-3: Linux kernel (Raspberry Pi) vulnerabilities

Read Time:42 Second

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not
properly handle certain error conditions, leading to a NULL pointer
dereference. A local attacker could possibly trigger this vulnerability to
cause a denial of service. (CVE-2022-38096)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– GPU drivers;
– Network drivers;
– SCSI subsystem;
– Ext4 file system;
– Bluetooth subsystem;
– Memory management;
– Amateur Radio drivers;
– Network traffic control;
– Sun RPC protocol;
– VMware vSockets driver;
(CVE-2023-52821, CVE-2024-40910, CVE-2024-43892, CVE-2024-49967,
CVE-2024-50264, CVE-2024-36952, CVE-2024-38553, CVE-2021-47101,
CVE-2021-47001, CVE-2024-35965, CVE-2024-35963, CVE-2024-35966,
CVE-2024-35967, CVE-2024-53057, CVE-2024-38597)

Read More

Multiple Vulnerabilities in Rsync Could Allow for Remote Code Execution

Read Time:39 Second

Multiple vulnerabilities have been discovered in Rsync, the most severe of which could allow for remote code execution. Rsync is an open-source file synchronization and data transferring tool valued for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. The tool is utilized extensively by backup systems like Rclone, DeltaCopy, ChronoSync, public file distribution repositories, and cloud and server management operations. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More