CVE-2013-2686

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.8.x through 1.8.20.1 Asterisk Open Source versions 10.x through 10.12.1 Asterisk Open Source versions 11.x through 11.2.1 Certified Asterisk version 1.8.15 through 1.8.15-cert1 Asterisk Digiumphones versions 10.x-digiumphones through 10.12.1-digiumphones

Description The issue arises from improper restriction of Content-Length values in the HTTP server, allowing remote attackers to cause a denial of service (daemon crash) via a crafted HTTP POST request. This can lead to stack-consumption attacks.

Recommendations For Asterisk Open Source versions 1.8.x through 1.8.20.1, update to version 1.8.20.2 or later. For Asterisk Open Source versions 10.x through 10.12.1, update to version 10.12.2 or later. For Asterisk Open Source versions 11.x through 11.2.1, update to version 11.2.2 or later. For Certified Asterisk version 1.8.15 through 1.8.15-cert1, update to version 1.8.15-cert2 or later. For Asterisk Digiumphones versions 10.x-digiumphones through 10.12.1-digiumphones, update to version 10.12.2-digiumphones or later.