Debian Bug report logs -
#780601
asterisk: CVE-2015-1558: File descriptor leak when incompatible codecs are offered
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 16 Mar 2015 15:27:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version asterisk/1:13.1.0~dfsg-1
Fixed in version asterisk/1:13.1.0~dfsg-1.1
Done: Matthias Klose <doko@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#780601; Package src:asterisk.
(Mon, 16 Mar 2015 15:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Mon, 16 Mar 2015 15:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Version: 1:13.1.0~dfsg-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for asterisk.
CVE-2015-1558[0]:
| Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when
| using the PJSIP channel driver, does not properly reclaim RTP ports,
| which allows remote authenticated users to cause a denial of service
| (file descriptor consumption) via an SDP offer containing only
| incompatible codecs.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1558
[1] http://downloads.asterisk.org/pub/security/AST-2015-001.html
[2] https://issues.asterisk.org/jira/browse/ASTERISK-24666
Regards,
Salvatore
Reply sent
to Matthias Klose <doko@debian.org>:
You have taken responsibility.
(Sat, 11 Jul 2015 11:51:19 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 11 Jul 2015 11:51:19 GMT) (full text, mbox, link).
Message #10 received at 780601-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.1.0~dfsg-1.1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 Jul 2015 12:56:51 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source all amd64
Version: 1:13.1.0~dfsg-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 777782 780287 780601
Changes:
asterisk (1:13.1.0~dfsg-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ Matthias Klose ]
* Build with -fgnu89-inline. Closes: #777782.
* CVE-2015-1558: File descriptor leak when incompatible codecs are offered.
Closes: #780601.
.
[ James Cowgill ]
* Fix OSARCH detection on all linux architectures. Closes: #780287.
Checksums-Sha1:
cab4d1421d0e7d74182b81d31ca20464e612a34b 4067 asterisk_13.1.0~dfsg-1.1.dsc
57053c83bcd7385bcf33b5899755bf4197bcec97 102008 asterisk_13.1.0~dfsg-1.1.debian.tar.xz
50e87af8f466f2b28c8862cc63b5d1852d44c258 718270 asterisk-config_13.1.0~dfsg-1.1_all.deb
92fd2f12f41cfca2eea1a6b1d8dd467235bf0c2c 557720 asterisk-dahdi_13.1.0~dfsg-1.1_amd64.deb
1841a132c72aad642c629cb6057d9a88579bbb86 13865224 asterisk-dbg_13.1.0~dfsg-1.1_amd64.deb
cb61cc669b060aaf1e45f40fd574592931870e83 757448 asterisk-dev_13.1.0~dfsg-1.1_all.deb
e4b033ff5c33df501d16c6168a42cb87a2642cdc 1052022 asterisk-doc_13.1.0~dfsg-1.1_all.deb
00e9cf9a315ce8132213a93ee41556a814d8b6a2 377076 asterisk-mobile_13.1.0~dfsg-1.1_amd64.deb
801f862846e741be15ee8bbfe4b7450190473060 2457088 asterisk-modules_13.1.0~dfsg-1.1_amd64.deb
9e9788596b753d091a84110dc47a504c57428cfb 365744 asterisk-mp3_13.1.0~dfsg-1.1_amd64.deb
c2b555e7574ba15b36f126da190aaee598a34ac8 383096 asterisk-mysql_13.1.0~dfsg-1.1_amd64.deb
526ea7a38274d94a64dcfe83d16445efac4b8d60 681508 asterisk-ooh423_13.1.0~dfsg-1.1_amd64.deb
7222da086aaeb75bc32dc043c9b3761951fc4282 444928 asterisk-voicemail-imapstorage_13.1.0~dfsg-1.1_amd64.deb
dcd65024bff3672000287ee18168202d69fb37ae 434390 asterisk-voicemail-odbcstorage_13.1.0~dfsg-1.1_amd64.deb
f8de16699117e90b41286e6d86a346c198a8f3d4 428262 asterisk-voicemail_13.1.0~dfsg-1.1_amd64.deb
2ae7da50314b20e7656cdd263a9aa7ab3d15058b 368876 asterisk-vpb_13.1.0~dfsg-1.1_amd64.deb
b0a9752bb781c8cfe8d213e559faec3570ae751e 1756830 asterisk_13.1.0~dfsg-1.1_amd64.deb
Checksums-Sha256:
a34303c08593c0c4f954b59a654b4403a34f2dd670f791f5d070a1c8e507e7e2 4067 asterisk_13.1.0~dfsg-1.1.dsc
5ecdf9e022df3c162afcb52b343a0efc0d478cf02d173ad762b7eb75ffce9a23 102008 asterisk_13.1.0~dfsg-1.1.debian.tar.xz
40cc9a1ee07f3bf2b7ab8a270c07401d33f1d6d16a47029d07c746d09f59a699 718270 asterisk-config_13.1.0~dfsg-1.1_all.deb
c9d9387eabc8282937b95da78fcf3223cba3a1ada0baa1873be188bed7fb6760 557720 asterisk-dahdi_13.1.0~dfsg-1.1_amd64.deb
22c096de7d8c61d1a52fba08ad84841fae0b1fb4f22cfa6827734908a7c2d1d7 13865224 asterisk-dbg_13.1.0~dfsg-1.1_amd64.deb
fc2e6a35efad8ad1e595acc654a21f252e533b20bc27fb6aa8c016f9e08fb11c 757448 asterisk-dev_13.1.0~dfsg-1.1_all.deb
227f32c83f4bd14fd6653fa85c504a5946af6c262d5e966ba460411ccd24e0cf 1052022 asterisk-doc_13.1.0~dfsg-1.1_all.deb
8074bb95c05c7016b5fa424c6c1d8e20ca50b2d0b3c7a97fea1f867657f85897 377076 asterisk-mobile_13.1.0~dfsg-1.1_amd64.deb
c0002ddb4e5678fa099fff4256691d7a782f73f3f9e7ea2a245fea8e7ab93205 2457088 asterisk-modules_13.1.0~dfsg-1.1_amd64.deb
47f997c59c8fb4923f081af24ed6725a70444d1c3241b20c96f6fa44a64ed6db 365744 asterisk-mp3_13.1.0~dfsg-1.1_amd64.deb
d91cb914c9fecd314983ea6c3a974406951367527919cb55d8f8f9ca6db1277a 383096 asterisk-mysql_13.1.0~dfsg-1.1_amd64.deb
a772952f1ba284e2546eb7d4bc7dda1c1e9327f0bc7102fa00d27f1b7808c175 681508 asterisk-ooh423_13.1.0~dfsg-1.1_amd64.deb
098f1a98178bc88ff62882b4a8b3fce26766a686f9e58125abcab8847327989b 444928 asterisk-voicemail-imapstorage_13.1.0~dfsg-1.1_amd64.deb
f97364333c7ef6f49c9e2f18122b6e8a1f406a41758f0df0eaf279edc8fbb291 434390 asterisk-voicemail-odbcstorage_13.1.0~dfsg-1.1_amd64.deb
37a66e3ffe94522429f498a54ed8be74dfb6ffe47d8044f9af0135258bfce227 428262 asterisk-voicemail_13.1.0~dfsg-1.1_amd64.deb
7dfba5d64b0468b99797e377084b57aa0cdf917f342dd057c52db7667e60f77f 368876 asterisk-vpb_13.1.0~dfsg-1.1_amd64.deb
6fd6fad656011c6f8daee05a1bdb9fc6e1a12859f3bd90f16b5aa586b172d93b 1756830 asterisk_13.1.0~dfsg-1.1_amd64.deb
Files:
b8d71b329402ecdc7de55221496493d2 4067 comm optional asterisk_13.1.0~dfsg-1.1.dsc
d7f1378e5a296dc234525a3ee39a24db 102008 comm optional asterisk_13.1.0~dfsg-1.1.debian.tar.xz
6c26a7d5313b323130a9bb26429f6255 718270 comm optional asterisk-config_13.1.0~dfsg-1.1_all.deb
215ccfc095e33bf10fbfdf83e4e6170a 557720 comm optional asterisk-dahdi_13.1.0~dfsg-1.1_amd64.deb
02b829c9eab4c1b27c8a53bee7536b5a 13865224 debug extra asterisk-dbg_13.1.0~dfsg-1.1_amd64.deb
ae371473070c330409994314240dabb1 757448 devel extra asterisk-dev_13.1.0~dfsg-1.1_all.deb
e6a6449d74438d4bf564db2ab0e97e32 1052022 doc extra asterisk-doc_13.1.0~dfsg-1.1_all.deb
b910bfa0203dabe6ae5e74f7d82df587 377076 comm optional asterisk-mobile_13.1.0~dfsg-1.1_amd64.deb
59afda12ab5265b73996a9a41ac6fa4f 2457088 libs optional asterisk-modules_13.1.0~dfsg-1.1_amd64.deb
ddebfcc5860ec3bf0f0512b08fae81df 365744 comm optional asterisk-mp3_13.1.0~dfsg-1.1_amd64.deb
6e833887b66c37e2d8353d929ea54784 383096 comm optional asterisk-mysql_13.1.0~dfsg-1.1_amd64.deb
90cafd61c8c2b03ea3a727189fab5608 681508 comm optional asterisk-ooh423_13.1.0~dfsg-1.1_amd64.deb
966a0a9061aaf1336782b025c6c054b4 444928 comm optional asterisk-voicemail-imapstorage_13.1.0~dfsg-1.1_amd64.deb
2284b245c2c75001cd843c18d185fdaa 434390 comm optional asterisk-voicemail-odbcstorage_13.1.0~dfsg-1.1_amd64.deb
6cf89e07c14c56aab13bc46b895d75ff 428262 comm optional asterisk-voicemail_13.1.0~dfsg-1.1_amd64.deb
176526e48512e5d25a0282612083f32a 368876 comm optional asterisk-vpb_13.1.0~dfsg-1.1_amd64.deb
e05a8965916b73c574ce97e3acb89934 1756830 comm optional asterisk_13.1.0~dfsg-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVn6zDAAoJEL1+qmB3j6b1Zl8QANHVaPTfVnYWXfwDZnaX2OIA
fyUozwm8g5zlz6pdJPmZnwZnLFChMcmRI6TA3KF4vn86eP+VdgyeW/IBrw/2XkYM
hx8v9YdaXwdeGIczwe54DSwyM0fXE3tWo1e0ZOGv4IULC6dyvA1GW23s49m1DTY7
rjuHafwrd1P/z0/7QVd/OBPf8UPV1QsO7UU7tiwVu1v5or3RMptmrXiTsFWAxoak
ppVYza1EcWV5s+jBuj6N3Bq310KG6e8UJsk4z9wdPcq6M2vuxIhX189tSdKdnQAj
OuJUg9JLVDqq++pKLxX5VZkyoh+yDPKJbT8P4QrkJv6fRSRXZTIGDrjq++icsVM/
k+g1YW6kxA+LGRueuQjcevKeInZoP/eXJ9Ygog14z4OBTIyQYAztYGSWNYxc1I6L
78GX4xIsTXJ/k4U80YLocbpbPHMY3BkUJkbsALs+JsIozOfXWc60pDgXCghZ1hFX
qjOt+cogrGtFSwSdRtLpxq9iLkX332R/C1tfFlFtJdRclUJZ0jTnnuFN7tp7lLPO
uaWcrRrC/kxdlLzhpyt0T6tXeXLqGn8+QpctuzRQKJPidEdtVj0fwdxgbcouiVLL
4v265En55bC+/H/Gw2KYBvccBoRLdamric3QlARyj4IkHV2P/NX/CYHuxtz3IuCN
JR3dy0VguUq1+aV9kCs+
=09c9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Aug 2015 07:24:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:31:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon