Not in openSUSE or SLE, reported against network:telephony:asterisk-*


The following flaw was found in asterisk:

When Asterisk registers to a SIP TLS device and and verifies the server, Asterisk will accept signed certificates that match a common name other than the one Asterisk is expecting if the signed certificate has a common name containing a null byte after the portion of the common name that Asterisk expected. For example, if Asterisk is trying to register to www.domain.com, Asterisk will accept certificates of the form www.domain.com\x00www.someotherdomain.com - for more information on this exploit, see https://fotisl.com/blog/2009/10/the-null-certificate-prefix-bug/

This issue is fixed in asterisk versions: 1.8.32.3, 11.17.1, 12.8.2, 13.3.2 

Upstream advisory:

http://downloads.asterisk.org/pub/security/AST-2015-003.pdf

Upstream issue:

https://issues.asterisk.org/jira/browse/ASTERISK-24847

Patch:

https://issues.asterisk.org/jira/secure/attachment/52082/asterisk-null-in-cn.patch

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1210225
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3008