similar to: AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability

Asterisk Project Security Advisory - AST-2014-011 Product Asterisk Summary Asterisk Susceptibility to POODLE Vulnerability Nature of Advisory Unauthorized Data Disclosure Susceptibility Remote Unauthenticated Sessions Severity Medium

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1, 11.13.1, 12.6.1, and 13.0.0-beta3. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of

The Asterisk Development Team has announced security releases for Certified Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available security releases are released as versions 1.8.28-cert2, 11.6-cert7, 1.8.31.1, 11.13.1, 12.6.1, and 13.0.0-beta3. These releases are available for immediate download at http://downloads.asterisk.org/pub/telephony/asterisk/releases The release of

Asterisk Project Security Advisory - AST-2012-015 Product Asterisk Summary Denial of Service Through Exploitation of Device State Caching Nature of Advisory Denial of Service Susceptibility Remote

Asterisk Project Security Advisory - AST-2016-001 Product Asterisk Summary BEAST vulnerability in HTTP server Nature of Advisory Unauthorized data disclosure due to man-in-the-middle attack Susceptibility Remote

Asterisk Project Security Advisory - AST-2015-002 Product Asterisk Summary Mitigation for libcURL HTTP request injection vulnerability Nature of Advisory HTTP request injection Susceptibility Remote

Asterisk Project Security Advisory - AST-2015-002 Product Asterisk Summary Mitigation for libcURL HTTP request injection vulnerability Nature of Advisory HTTP request injection Susceptibility Remote

I read this on the RHN commentary respecting cve-2014-3566: https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/: . . . The first aspect of POODLE, the SSL 3.0 protocol vulnerability, has already been fixed through iterative protocol improvements, leading to the current TLS version, 1.2. It is simply not possible to address this in the context of the SSL 3.0

Asterisk Project Security Advisory - AST-2016-003 Product Asterisk Summary Remote crash vulnerability when receiving UDPTL FAX data. Nature of Advisory Denial of Service Susceptibility Remote

Asterisk Project Security Advisory - AST-2015-003 Product Asterisk Summary TLS Certificate Common name NULL byte exploit Nature of Advisory Man in the Middle Attack Susceptibility Remote Authenticated Sessions Severity Major

Asterisk Project Security Advisory - AST-2015-003 Product Asterisk Summary TLS Certificate Common name NULL byte exploit Nature of Advisory Man in the Middle Attack Susceptibility Remote Authenticated Sessions Severity Major

Asterisk Project Security Advisory - AST-2016-002 Product Asterisk Summary File descriptor exhaustion in chan_sip Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Minor

Asterisk Project Security Advisory - AST-2014-012 Product Asterisk Summary Mixed IP address families in access control lists may permit unwanted traffic. Nature of Advisory Unauthorized Access Susceptibility Remote

Asterisk Project Security Advisory - AST-2014-012 Product Asterisk Summary Mixed IP address families in access control lists may permit unwanted traffic. Nature of Advisory Unauthorized Access Susceptibility Remote

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, As most of you already know, there is an important SSLv3 vulnerability (CVE-2014-3566 - see https://access.redhat.com/articles/1232123) , known as Poodle. While it's easy to disable SSLv3 in the allowed Protocols at the server level (for example SSLProtocol All -SSLv2 -SSLv3 for apache), some clients are still defaulting to SSLv3, and Koji

Asterisk Project Security Advisory - AST-2014-018 Product Asterisk Summary AMI permission escalation through DB dialplan function Nature of Advisory Permission Escalation Susceptibility Remote

Asterisk Project Security Advisory - AST-2014-018 Product Asterisk Summary AMI permission escalation through DB dialplan function Nature of Advisory Permission Escalation Susceptibility Remote

No patch available now. Download the source code and modified the source code yourself, and then compile it. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Mario Pio Russo Sent: Wednesday, July 08, 2015 10:01 PM To: Kelvin Yip Cc: samba at lists.samba.org; samba-bounces at lists.samba.org Subject: Re: [Samba] Samba 4 -

The following updates address POODLE on CentOS: CentOS-5: http://lists.centos.org/pipermail/centos-announce/2014-October/020696.html CentOS-6.5: http://lists.centos.org/pipermail/centos-announce/2014-October/020697.html CentOS-7: http://lists.centos.org/pipermail/centos-announce/2014-October/020695.html Please note that the CentOS-6.5 updates are built from: openssl-1.0.1e-30.el6_5.2.src.rpm

Arg... that's a problem now.. we are not allowed to complie third party software in our dev enviroment, we are only allowed to use packages (that's why we use sernet-samba, which in fairness is great!). any plan to release a proper patch? ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin,