Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>;
Reported by: Bernhard Schmidt <berni@debian.org>
Date: Fri, 1 Sep 2017 06:33:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version asterisk/1:11.5.1~dfsg-1
Fixed in versions asterisk/1:13.17.1~dfsg-1, asterisk/1:13.14.1~dfsg-2+deb9u1, asterisk/1:11.13.1~dfsg-2+deb8u3
Done: Bernhard Schmidt <berni@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://issues.asterisk.org/jira/browse/ASTERISK-27013
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#873907
; Package src:asterisk
.
(Fri, 01 Sep 2017 06:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernhard Schmidt <berni@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Fri, 01 Sep 2017 06:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:asterisk Severity: important Tags: security Asterisk Project Security Advisory - AST-2017-005 Product Asterisk Summary Media takeover in RTP stack Nature of Advisory Unauthorized data disclosure Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On May 17, 2017 Reported By Klaus-Peter Junghanns Posted On Last Updated On August 30, 2017 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name Description The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options for chan_sip and chan_pjsip respectively enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well. Resolution The RTP stack will now only learn a new source address if it has been told to expect the address to change. The RTCP support has now also been updated to drop RTCP reports that are not regarding the RTP session currently in progress. The strict RTP learning progress has also been improved to guard against a flood of RTP packets attempting to take over the media stream. Affected Versions Product Release Series Asterisk Open Source 11.x 11.4.0 Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Certified Asterisk 11.6 All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk 11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-005-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-005-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-005-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-005-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-005.pdf and http://downloads.digium.com/pub/security/AST-2017-005.html Revision History Date Editor Revisions Made May 30, 2017 Joshua Colp Initial Revision Asterisk Project Security Advisory - AST-2017-005 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Marked as found in versions asterisk/1:11.5.1~dfsg-1.
Request was from Bernhard Schmidt <berni@debian.org>
to control@bugs.debian.org
.
(Fri, 01 Sep 2017 06:39:04 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 01 Sep 2017 06:45:05 GMT) (full text, mbox, link).
Set Bug forwarded-to-address to 'https://issues.asterisk.org/jira/browse/ASTERISK-27013'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 01 Sep 2017 06:45:05 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 02 Sep 2017 06:36:04 GMT) (full text, mbox, link).
Changed Bug title to 'asterisk: CVE-2017-14099: AST-2017-005: Media takeover in RTP stack' from 'AST-2017-005 - Media takeover in RTP stack'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 02 Sep 2017 17:15:03 GMT) (full text, mbox, link).
Reply sent
to Bernhard Schmidt <berni@debian.org>
:
You have taken responsibility.
(Sat, 02 Sep 2017 21:18:23 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>
:
Bug acknowledged by developer.
(Sat, 02 Sep 2017 21:18:23 GMT) (full text, mbox, link).
Message #20 received at 873907-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk Source-Version: 1:13.17.1~dfsg-1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873907@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Sep 2017 22:34:09 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config Architecture: source Version: 1:13.17.1~dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> Changed-By: Bernhard Schmidt <berni@debian.org> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-tests - internal test modules of the Asterisk PBX asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 873907 873908 873909 Changes: asterisk (1:13.17.1~dfsg-1) unstable; urgency=high . * New upstream version 13.17.1, fixing three CVEs - CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) - CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) - CVE-2017-14098 / AST-2017-007 Remote Crash Vulerability in res_pjsip (Closes: #873909) Checksums-Sha1: 585568086378cc058e946cb922a082a2664f2873 4268 asterisk_13.17.1~dfsg-1.dsc adb89838e59308fe05bc60693bf01df6b8cfb2f4 6227588 asterisk_13.17.1~dfsg.orig.tar.xz 4401b3804b6f69ef0686266b9b452e1649baabef 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz 4b26a0714b0c6f46df9910656391e2a00d0faab9 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo Checksums-Sha256: 754e2320c060563da2ae69f5948aaff41abca712d94759fd7f40cf3e3de01144 4268 asterisk_13.17.1~dfsg-1.dsc c508880b2ee165016074d75347aa2df00fc88a730db7dc1a8cf1b895e9e8a3ad 6227588 asterisk_13.17.1~dfsg.orig.tar.xz 9722c7c60709d1ddc26d866d3283213f6797b6f7ab9a180dc51fd7c7219af6ec 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz 05f498e47a90b1fa6f81964062c76511d37d333152620e16e5f42ca60bf8e23c 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo Files: 869d4a0e0654952f2555b89be8d05062 4268 comm optional asterisk_13.17.1~dfsg-1.dsc a1a52404f8938ede9204750c6f5b69db 6227588 comm optional asterisk_13.17.1~dfsg.orig.tar.xz e97d792679034e7a0a29ffb7538a192d 168376 comm optional asterisk_13.17.1~dfsg-1.debian.tar.xz 3c9577153eb8824c2ee7fea8df17bade 27034 comm optional asterisk_13.17.1~dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmrF64RHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJP4/w/+OZb8R2GFu1pkJQ5ZqMrtHx+IZNNM8wTL 6sb3N1b+tAEe9Nb7pARwb100+wyib3S0uIo78kad3VLvXaDGpMjmJVsSptRd0Qy/ M9PNW7vojmXdJTRc5jxbiwhWpKpX1kaq1VIWXhJo/mxVEhaAt15pzbt47heEqyo2 BmzOtGHONyGQG+m9tO4IPIWcpDsgXFc8i5+loROw/WyGxI2k57pJh4jDhPsOMLoN PySDya/Peqi+q60Iy3IHeXDvt39vgTEMUo48fG1PC2Sy6zntN0IIYl/oKmlRZ453 tNQzGYZbxX08fqMMQf7mtvpPcGmYZNdZD5ogthA0uW1MKoQM5h6S+ah/pz52HrDn fSwlwXtRvdYwQkGu8jBv2crerhly0C5pyiK7+CDYoTdRittTH5O1uQP6c5H0hV5C GVKMbG877rbPrI2N1sFXDggM9T1zJ/c73HqC6ecB9DG+jcxdidju9lV4sYJWw9cM b6j9AOwXW6uWZhXZJP+1jxsib0f1acNT0NyHjHASXlbv5lZPVwtpIkg7Ed89fH/k V0SSMrpF2ZA49aUdcff7BcesDqwYcDCJBDaEewzFJYzRleUtMQmImJKXd4f1c5uA O0zCPja7RPRQHpVQOxqUxZfUqDCJR6oWPhLuMJBMsJH3vKHoqnfpDjmxxMR8izEd YN2nioAGtFQ= =5py3 -----END PGP SIGNATURE-----
Reply sent
to Bernhard Schmidt <berni@debian.org>
:
You have taken responsibility.
(Fri, 29 Sep 2017 11:36:12 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>
:
Bug acknowledged by developer.
(Fri, 29 Sep 2017 11:36:12 GMT) (full text, mbox, link).
Message #25 received at 873907-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk Source-Version: 1:13.14.1~dfsg-2+deb9u1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873907@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Sep 2017 23:21:14 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config Architecture: source all amd64 Version: 1:13.14.1~dfsg-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> Changed-By: Bernhard Schmidt <berni@debian.org> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 873907 873908 Changes: asterisk (1:13.14.1~dfsg-2+deb9u1) stretch-security; urgency=high . * CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) * CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) Checksums-Sha1: c9d61e64a623e16c06938b5bd80903f7fe20c213 4133 asterisk_13.14.1~dfsg-2+deb9u1.dsc ad3b0601910c7b9debd8edee25bcfe985666280f 6152096 asterisk_13.14.1~dfsg.orig.tar.xz dd4f94d834e2fb3dcc8a200ad025c33a55b022d3 136656 asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz d1826495277caa1796c4b2f64913a03b5e889c59 1121336 asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb ad02e2e0ac0d322825ba9b6db969178a7188fcce 551216 asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 4b9fdae2ac5bc0653040d8956b5440da5809cdfe 959542 asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb 3f92ad81f31192e65e39532f4513fc03d54cabef 3319414 asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 3b05d31a68fa9e14c9629dfdadd0b4d1d17b3eb4 1155604 asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb 9983e1300f11b00160c82fada0825fcedf868dc7 1462298 asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb 4b34c69389516bc98e03f91d05822245744231fc 69604 asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb b677cb381727478f408ea475e2f77064552e3eac 755022 asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb 5f763de4e62b44c105dd531971f56ca6b9288ce3 8976888 asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 0fa09e886ee96dd73b7fabf8d92fb735013e0f04 2898068 asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb 490dd9cc747a9be219ed2b167439ed757f6a0e88 44148 asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 1637a367c0f471726031dab17197bbfc8e945ad4 743844 asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb 8a24fd2cf1518ab55d2b98a8ce487fffe35350b5 112668 asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 0c8f984e92db5a774ad75ea9095bf4f4fd27712c 758840 asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb debf5fb17a2c52fd7e262c57fe408cca7b0bd92d 1399314 asterisk-ooh423-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb a1b1387591993863a8b813c5c3971b4849765f15 1058338 asterisk-ooh423_13.14.1~dfsg-2+deb9u1_amd64.deb 47672e20de60e7c1c9fd2ae818ea44df978db42c 210360 asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d78437e460c72cd5362f260df248d4f5c89018a2 246734 asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 2a53655175ce7a35aeb99c09cd7ace2128650625 822656 asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 4e2715e9a68d076ef5f6c88ba5be09fe1b1c59e4 221848 asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb cbc2f82f1689f1058ffe73c1462ab0207cb5121b 811788 asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 47ca23634ee7aa213d137de55c6ff3301b804458 806008 asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb 9039f0440370c80f5654165ef8cb29397873d621 66014 asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 9e1b6b220872d4a825dfa25d759cfd67be514d76 746378 asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb 3739cb69e9d7cb0072f3b4a9e4ba0e826d069d65 26743 asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo ca5f04b19d075e68b3ad0e9c4443049a4a90be75 2213966 asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb Checksums-Sha256: 12e241e57f000a094f2c0d90dfadf7eadd27a27a734c0c3bb7e90a3f65195e10 4133 asterisk_13.14.1~dfsg-2+deb9u1.dsc 9f52c386cb3eec6f01af7f1e03818280870896defde0da9f8f032db351a642b7 6152096 asterisk_13.14.1~dfsg.orig.tar.xz 4a7e128a65ae4a703b43c681bce9ba826b1031a4fcf0415e088be66cc841183a 136656 asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz d73366d2697187be7db85fff0710d290a47036e7d38dcb5c1850f4fa82d3f249 1121336 asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb ece27ed91fde070efbd2390e86e59294f4538f64c093f0e763152791d0b661e1 551216 asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 8ff821a64b253ff3da54bb0dcbb8d214b52796d8cf7e526f17bb6e8e817b5ba4 959542 asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb b81cb049a3c9d0d98875fb8d357ebd61aabf7b1543962b4e22fd7320387d7508 3319414 asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 3a98375472d6fdd7bcdbd3397935b23e64ed52f74bb1f80fcdf9e6c04d8206a4 1155604 asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb 3856628e6bcd0cebd51694b9dec36d82d37eafbb82bc62460221af70e35dd257 1462298 asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb 3ff8fc5224bfa884567419630b576a5022caecea47b77fc35a8b18ee6b5421a3 69604 asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb b4c3fb29472808ce83cb7445fba03ec05ae0e8206256685bd66e193718c92479 755022 asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb 20ece0b7519edcd837f6e49702056748456aac53afcb19c5c822acb11c3892e2 8976888 asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb f4468a4220947550d9e7737d2568302ca72f7ffa4e6cf31e5bfad64f983b7d4a 2898068 asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb aa7b3a559134c6ff2cac2b8eae7c96362dcdd92a9a3a65660c328205eb75c3b0 44148 asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 4f52c43320ca622e1af000ac33de89a741fe28179b2f4d46c303eead0616dba4 743844 asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb 7ddc9b02261858f626cada87e3f5fc371c87dfb6cb57ade680a3ec9793a657ac 112668 asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb abc4fb4b8aafa3bb4db62da50e0d7db6da980f74bb3823cd6feb18865de34c47 758840 asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb 7c69d3c61f6ea48815837ae127bebf10dd54a92b2ee1757bca901d095234e459 1399314 asterisk-ooh423-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d7c1c64ae618e1f84b27e2654ba501c9ca5148831c82e953d3b305558b11afc9 1058338 asterisk-ooh423_13.14.1~dfsg-2+deb9u1_amd64.deb dfd2f28856c6be50cdb82f9bd7cffca524d2f7215d1764c3e50952a498de9994 210360 asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 8d158df39505c56607b0fa63bce34a1c446c8356830351e011c1483572a68154 246734 asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 7da7c2d2435d9857d6881fa3c56e6e2230b33576a68def8ff021e237c9fd0dbb 822656 asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 9cc54a78a82c7e07032edf90d90a4098647f6af0be25df10b676dc012375aeeb 221848 asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb b82f31295debced4761469fe6eb799d62d13f3af779192ab9ddf676fff175ddc 811788 asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 62375d135c01c8daa08b2345c73931c502759a0e01aa277e1c530b5eb537651e 806008 asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb a75182bcc9911b95634ff52d47f4c2ab79f0b10fe2f78f39659a0c329100e2a9 66014 asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 487c56bd575e32351344b7811cfabdbee51a918693cb6ae0515dfccee27108d7 746378 asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb 02e0c957af9d0ea0d327110ca1fab044e76722cd872d948685b2d8c83421f152 26743 asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo 8abfdc54f4439ba5019ba301e95c3a99752b251da9e534ac35f0eea6c2a106f8 2213966 asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb Files: df79290dfcbbcda537466e52356e0008 4133 comm optional asterisk_13.14.1~dfsg-2+deb9u1.dsc 6db73384168c17ebe6160ba96c5c6209 6152096 comm optional asterisk_13.14.1~dfsg.orig.tar.xz 5e67b21b5cb715519bb775e22c091f43 136656 comm optional asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz 895a21dfe78de164dc3b561c106a1c90 1121336 comm optional asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb 7f269a992420cde13d0ba9bb5f821bc3 551216 debug extra asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 5021d551014f1ef664543068372f44af 959542 comm optional asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb 02596e9b6d5f81f89b85bb298dea0702 3319414 debug extra asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb cc4dab75442674af099585a40554202c 1155604 devel extra asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb 7053b40c86687f1abebbc5549547bebe 1462298 doc extra asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb 11c07513b96a6e7a9fa35b2c3e7f61f2 69604 debug extra asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 09bf68199d3cc5dd8ed30c14b3db4a2e 755022 comm optional asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb 559b7d2b63b2290f50fbd1515a7bf568 8976888 debug extra asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb defe698690bf1bc0e2c789f5c21ce330 2898068 libs optional asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb 1b45d9df5bbfbc92f4fe3123b7628220 44148 debug extra asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 6657a9aa80fd7e84924b14e059a779d9 743844 comm optional asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb 19b89e9291c771cf72563712bf9e529e 112668 debug extra asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 1a49abd838bc5f864d2c5e75c41f901b 758840 comm optional asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb 716b1863577965196e54de64b8b78af0 1399314 debug extra asterisk-ooh423-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 5cb2044470744c9951df8bf5a54988aa 1058338 comm optional asterisk-ooh423_13.14.1~dfsg-2+deb9u1_amd64.deb 8a49d668553539639b1d5d1ab4e7439c 210360 debug extra asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb e86ea5cd3eb4ba3369e4037c342103e5 246734 debug extra asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d24e0ded17ac7e3da6ba29fe3a83e9cc 822656 comm optional asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb ed69d359f683fa7fb15ec34b6ce4ca0f 221848 debug extra asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 3065f5da3fbf71442da925a7fc025920 811788 comm optional asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 946c0f6346c2af086a8a440e02854b0f 806008 comm optional asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb 8163949fa4b1ad556540e1cc9bb889ed 66014 debug extra asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d0fa3cd9d2e1fe34dd623158bd2a34af 746378 comm optional asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb 9036f8df8f5c85690367bee3653d0321 26743 comm optional asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo 24d6f0310762a1a0c69b800965438d39 2213966 comm optional asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmtEC8RHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJPGYw/9FpIPiEzcenxdN/94UTrLSsuS4GwG7WMy 0zkGthml+bsd/B0S9KwBSHpFi9MQdeq6OcEdyrRJF7BncXUqnSU+MB/IlBk0Svdx 5IWEVNtNUZzf1GA/KQtwnDJnCHksC/ahdh8CQrs+/5keZzcR4M0Q/6UNwiADlp8l sLZi4kfCXDgTEJ0q8z9fvbKCCS0r+kjb4DIiHYxrc7u8rRaQYkwcS3zUxJSqpS5C 86gxa9iUEZ7I9uezsTAnOKCy5TIlrOCucHumns7thlyOcsZajBULTkYzun5lAoQH e8bEYlio+bg3r6vooW+Mb1aCygctLSia2fbgLv9SmNyGy6ZpFCVuK2HzE4ro8MFE OKV5hcV5U40dkOlNbWWCW3s9bwRqmUA618qCfjLy9oja2iMF2qVE/ThGBipH/4ue gsO9W4fmMGJgIfxDGdZKU+yPMvla3qwd2iJ3B8twpYYQxttZpGECCfKxFCFdbwG5 Ne/SM11/6QDrm0Ba5TlcHZGSdH3MKm5gegXjfn0UX6l9Kuj7HXxqSnDZnURkb7hY hmR2CfOg/bfOtHRRUUH0AQR6Po8H/iVdE07c4CCWm+FJx0+jsZJJDyxTt2Nfuhz7 mEebXzR/Z5hFHuIvdTmEnirnOZemeaKtAbz7+PLG7S9T8qOloXzOalu2pdMEjvR1 EAZVCVYu+28= =ed1J -----END PGP SIGNATURE-----
Reply sent
to Bernhard Schmidt <berni@debian.org>
:
You have taken responsibility.
(Sun, 08 Oct 2017 10:51:05 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>
:
Bug acknowledged by developer.
(Sun, 08 Oct 2017 10:51:05 GMT) (full text, mbox, link).
Message #30 received at 873907-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk Source-Version: 1:11.13.1~dfsg-2+deb8u3 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873907@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Sep 2017 22:46:15 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config Architecture: source amd64 all Version: 1:11.13.1~dfsg-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> Changed-By: Bernhard Schmidt <berni@debian.org> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dbg - Debugging symbols for Asterisk asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 873907 873908 Changes: asterisk (1:11.13.1~dfsg-2+deb8u3) jessie-security; urgency=high . * CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) * CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) Checksums-Sha1: ba66fde1252168c5a31c05912ee2f14082d6e074 4050 asterisk_11.13.1~dfsg-2+deb8u3.dsc a1abcdd064f8847a7006c71ddff6b7698379f9b5 114412 asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz 178ffd3d6406f39f4d2fd87adb35fbc6c6106e30 1665916 asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb f1499ddfbf60e8ce1c7304ea73225bf48d8930ba 2128800 asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb 803499e67f82ffa3e4ad93391708e2ab64e2245d 704826 asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb 10de9d3b38ffe9f53f0d04e027f9c97bbb2bd762 508386 asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb a8b452f46c6ab000e97e31219de44cc37db59f43 564176 asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb 829e738bed45429bb863fa486f96d2b57833d5a5 580148 asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 40653d800ff1ead26e6b28189f4365a758132c2b 570340 asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 675a1bae4d409596d62d5047c78b618464f15d05 819306 asterisk-ooh423_11.13.1~dfsg-2+deb8u3_amd64.deb ec8f0ba389108f9831739f040eb78645f71f78ee 504114 asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb 92c7e907f14258a0ee1b5a1b53c9c27ec385fff6 522080 asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb b9c60a4f3e2a19edf90bb6000ea826ad2416b9aa 514292 asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb 6116e68542cd8743afe0d94a1ae9ba853f56ca4a 2360376 asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb f3cc087914d0c8bf66421f7863db1db95e067fce 792286 asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb 90f97fb45da6b1a7188ee71d1d8b04e9c6fa4228 6461798 asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb 92e7d3180481d3f5198aa936ce6315b8ed5afac4 840252 asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb Checksums-Sha256: 2c2e290dc05235c8b46a02328e70dea4a557ef849e5adcd98f98cb6d0c1f1ffb 4050 asterisk_11.13.1~dfsg-2+deb8u3.dsc 49403c25c608ff4d7e7b4f641fe0a4589b6e9522e5c2652a02c36c543b6f3091 114412 asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz 5b1773ee280034d03aae8e684449b297715c8e474b162f2bc574a54858335f1b 1665916 asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb 6c78efcea97933669c6ebac7527e6f65531c5f56556c5fc6f4279f1b0e56daf8 2128800 asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb ba30b6f37fd8041b02ff904c61901a65ca3c1ff67704a68096bf35091f8d6432 704826 asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb 070b7366bc3a98faf63cb03ec7737ba9437ab94dc26efe53cdc3401de5965ac4 508386 asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb 95b1835e2232e412734b1776e71d4f3f6594a101809a61266a26b7ba5fe612e4 564176 asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb 6fbfa42e39edbe41536be98689cce514b6afb56611787850749bf6a19ffc0005 580148 asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 2ab8428024067d4d34b28a810c8c2d7734d9e786eddf165c6257ecc8d730f5a2 570340 asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 90094e7c34f8062cf022f03e23c58ce03a8b1018621073b8ae4fdfb2f766f39f 819306 asterisk-ooh423_11.13.1~dfsg-2+deb8u3_amd64.deb 60afbd04e5900f436c2235e0806bbf058ef2eda1239e0a7c9f50a78093fd9da6 504114 asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb da602c6a6bbcc7df0b91f7a0b1acd9a26975f0c0c21c2f9ef2afbb1274cf32d3 522080 asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb 386f6686140c8c246d96acf63e0cfd76daadbf124d3a36b5e9291d6c96db076e 514292 asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb 6be3bbba01b7049d405ae55440ff45787f51466754bf7678dfce823bf52323c6 2360376 asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb 6a96546a332dfead61368a29af4b108ad63fef229ee75b668cfb26ea734cf968 792286 asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb 5b83dfcd873725da2ee6e735fe005a8a34697c4703092a1cdfc1fdf688f1915d 6461798 asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb d0a40c17be39367972127dd300330a50bf4437265e593abac330384842fc5605 840252 asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb Files: e22715099f00d6a5420f488eb4bc5fb8 4050 comm optional asterisk_11.13.1~dfsg-2+deb8u3.dsc fe166d63e55573900341a0b3aba17022 114412 comm optional asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz 576d24d3bb6b6357704a6d719a094773 1665916 comm optional asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb d5999086336713fc9075d0782c7f4581 2128800 libs optional asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb ecfac416f0315d03a64c8189f97470e6 704826 comm optional asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb 66cf9f220c089b4200c5b594824c47b9 508386 comm optional asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb be8f435b12bed682d4bb6ee309790de5 564176 comm optional asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb 39f9af8eed9e40355e97a01d74cb94bd 580148 comm optional asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb e9e1c08b58e2e1cc036d785f013f5a2f 570340 comm optional asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 0816d2104673daf0bdab407097f8259b 819306 comm optional asterisk-ooh423_11.13.1~dfsg-2+deb8u3_amd64.deb 450b3e8719597049900c4eb9e1bb6842 504114 comm optional asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb e52ccfe2e7584e9b404a92ecbe4a2508 522080 comm optional asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb 5f56127d4801ee8a8ee79d951766c839 514292 comm optional asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb deb4b6c5cd4ed9e1f3bf8da85f078e4d 2360376 doc extra asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb c1c4e39ea08493f487d418379789a6ef 792286 devel extra asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb 065b26d3d3a3f416613219bea62cfd4a 6461798 debug extra asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb d04d5353a0aabf8fe40157636a02eb4c 840252 comm optional asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmtCCIRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJNRUg//UVxIa3GJ9QbooyGTxtfr+97U3oPh4+LF FFomgiVY8xaHuSJqNa3vnOWOswaDf8nDuAglJgV2VNxItOIBevuWGbHB/rSdM+P6 89PkGiQ46ynLdpicSI82YfkcCtM3M3o1e5yrpy+wDLuUjLSX2LHHp6D62GgUSTKr Snv1JaE7KcjUAsahueDzv0ddu+RcQdeQyGXmPHFZ7jyjZk9wsqJChjmK0DMFvpjD pNM0MQ23yw0fBsSWKHEPNPhp/UjD5edfet8853i95D84llKeKOw5CDcnLf/Kaicb s6nsm0bC1mrnFWkYG8UQIpZUflF+RtO9w+ZS1zjApSBDGEe1WgziH3gfS9DkB4yX lMS7Qw8lwJbaf4fvLhq76RlAvEJ3Uq1t1qunqeetRE7t8LjXR5Tp0E3/fr+2igbY xdgDaMS+b6se8ePBqQyhbCTSrazGv0dArgK6JZjE7JWUL8pnKEd5XNxs5q2pBtj6 UOurhTzBYhijF6ha+rImIHuRMLysOf6QCSgNsQ0/DVcFW4SbzoFCsgrk7aIeNUWp vVfiEU434PDTr7T57OE2fyYHTiwIrqmcbgUGZazm33kYFf5JUhPG0uJ/nZUVxi0y nAykXdmLutNy5mVlP89kZPHUcl4dDR8pQzvsc1PH0u6tAavYuPeJO3oe9J3f+x+6 +5zOC/CCp+M= =H+qx -----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 06 Nov 2017 07:25:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.