Debian Bug report logs -
#991931
CVE-2021-32686 / AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during handshake
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#991931; Package src:asterisk.
(Fri, 06 Aug 2021 08:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernhard Schmidt <berni@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Fri, 06 Aug 2021 08:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:asterisk
Severity: serious
Tags: security upstream patch
https://downloads.asterisk.org/pub/security/AST-2021-009.html
Summary: pjproject/pjsip: crash when SSL socket destroyed during handshake
Nature of Advisory: Denial of service
Susceptibility: Remote unauthenticated sessions
Severity: Major
Exploits Known: Yes
Description
| Depending on the timing, it’s possible for Asterisk to crash when using a TLS
| connection if the underlying socket parent/listener gets destroyed during the
| handshake.
Marked as found in versions asterisk/1:13.0.0~dfsg-1.
Request was from Bernhard Schmidt <berni@debian.org>
to control@bugs.debian.org.
(Fri, 06 Aug 2021 08:15:09 GMT) (full text, mbox, link).
Added tag(s) bullseye-ignore.
Request was from Paul Gevers <elbrus@debian.org>
to control@bugs.debian.org.
(Fri, 06 Aug 2021 12:48:04 GMT) (full text, mbox, link).
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Fri, 06 Aug 2021 14:36:04 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>:
Bug acknowledged by developer.
(Fri, 06 Aug 2021 14:36:04 GMT) (full text, mbox, link).
Message #16 received at 991931-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:16.16.1~dfsg-2
Done: Bernhard Schmidt <berni@debian.org>
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 991931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Aug 2021 15:35:20 +0200
Source: asterisk
Architecture: source
Version: 1:16.16.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 991710 991931
Changes:
asterisk (1:16.16.1~dfsg-2) unstable; urgency=high
.
* CVE-2021-32558 / AST-2021-008 (Closes: #991710)
If the IAX2 channel driver receives a packet that contains an unsupported
media format it can cause a crash to occur in Asterisk
* CVE-2021-32686 / AST-2021-009 (Closes: #991931)
pjproject/pjsip: crash when SSL socket destroyed during handshake
Checksums-Sha1:
fb0b4469160b4de496c70f11651d8200e78f54ed 4201 asterisk_16.16.1~dfsg-2.dsc
090a55a66d48f81af44ab87c05ff298f2f5b6904 5953392 asterisk_16.16.1~dfsg-2.debian.tar.xz
56f3f97ccdc63b567a1470e4e8177c73b87fc10d 27220 asterisk_16.16.1~dfsg-2_amd64.buildinfo
Checksums-Sha256:
101fed7a56cd8ff8134a259ab9ace703ec668d3a3c49ccfe8642660678039d1c 4201 asterisk_16.16.1~dfsg-2.dsc
e71bd3ba072e972fae139e4034b1cb754462d87e6497bf2110bdd20b8b8db75d 5953392 asterisk_16.16.1~dfsg-2.debian.tar.xz
21b31488ea06d219818303f3c9e8829b0a0d1c551c9276e00a24758548cfa89e 27220 asterisk_16.16.1~dfsg-2_amd64.buildinfo
Files:
64f9639acc462fe9f4317ecd1fff4064 4201 comm optional asterisk_16.16.1~dfsg-2.dsc
c9f8767a901f071ccc9cb1601b0d0716 5953392 comm optional asterisk_16.16.1~dfsg-2.debian.tar.xz
4f3170154c94066df1d4dea5f5ebb5a2 27220 comm optional asterisk_16.16.1~dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmENQboRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJO/vBAAlv3WzhViB/D4PT4kFgBe8bJRlqlQLj4A
4up4A5X03OBDipEe3XMK4U/h6zpVaJXxIjOQ5u8o8Y53GJhLwzp350AUKzruSH2w
EThD+xdyUTJVmwxTr3mhUbtEW+yBkKB+zZitCWJFYQxzSrqfacISzszentOaba33
bjLtMrzb3HX9qn0BqGALm6o05Hc2AiU+zz3cwLr9dRo6njnxrGYgTAN0HT4erl9A
n1hi7NctJ8qT0Ws093A0PvHmoCAFr51ap6vwfbAFbMXy8Ef/q9vCWqJRwkwWpBVc
nOCNvwqAYKlduVeA+q06wLpwUNDWIpLo+irXfVsHubYXYpvnHFPfqrrhtxsI4+Z/
fPPCIu0sPZNx9/i6rQC4TQb3IgL4CjeOtv2YNwSbNCSsHvjyDYslL2jJphi18uai
c7rwoL+MeF/5+XvgUSa3Vjc26kZSNBybxTHhyJn+fcFEOcgZUsK3IcL/dw8oPReZ
giMguyPERAmlheeao2nl/vYeH29yu38ghlOFY6KUFHzwvGd8Su4vowDviCUO8Axm
W6iAOxQtDKb87VW0uTLCSufwkQF1DLNkr2WsTrVQiKJ88Ugby2lW6hb8HGfxR9SZ
gEUO150r5sfzqUFaz0Gj5l+dVfR/FmNRijZX5wx2BlQTBajTO38DiJ7pHIeAFSBE
3tluT8yVNG0=
=jBZ0
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 6 16:17:39 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon