Bug 926548 (CVE-2015-3008)

Summary: VUL-0: CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit
Product: [openSUSE] openSUSE.org Reporter: Andreas Stieger <astieger>
Component: 3rd party softwareAssignee: Jan Engelhardt <jengelh>
Status: RESOLVED FIXED QA Contact: E-mail List <opensuse-communityscreening>
Severity: Normal    
Priority: P5 - None CC: chris, jengelh, mcaj
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 13.2   
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-04-09 10:09:10 UTC
Not in openSUSE or SLE, reported against network:telephony:asterisk-*

The following flaw was found in asterisk:

When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com - for more information on this exploit, see https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/

This issue is fixed in asterisk versions:, 11.17.1, 12.8.2, 13.3.2 

Upstream advisory:


Upstream issue:




Comment 2 Jan Engelhardt 2015-04-09 11:01:57 UTC