Debian Bug report logs -
#891228
asterisk: CVE-2018-7286: AST-2018-005: Crash when large numbers of TCP connections are closed suddenly
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 23 Feb 2018 15:15:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions asterisk/1:13.14.1~dfsg-1, asterisk/1:13.18.5~dfsg-1
Fixed in versions asterisk/1:13.20.0~dfsg-1, asterisk/1:13.14.1~dfsg-2+deb9u4
Done: Bernhard Schmidt <berni@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#891228; Package src:asterisk.
(Fri, 23 Feb 2018 15:15:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Fri, 23 Feb 2018 15:15:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Version: 1:13.18.5~dfsg-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for asterisk.
CVE-2018-7286[0]:
| An issue was discovered in Asterisk through 13.19.1, 14.x through
| 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through
| 13.18-cert2. res_pjsip allows remote authenticated users to crash
| Asterisk (segmentation fault) by sending a number of SIP INVITE
| messages on a TCP or TLS connection and then suddenly closing the
| connection.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7286
[1] http://downloads.asterisk.org/pub/security/AST-2018-005.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions asterisk/1:13.14.1~dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 23 Feb 2018 20:06:03 GMT) (full text, mbox, link).
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Tue, 03 Apr 2018 12:36:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 03 Apr 2018 12:36:07 GMT) (full text, mbox, link).
Message #12 received at 891228-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.20.0~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 891228@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Apr 2018 10:59:20 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.20.0~dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-tests - internal test modules of the Asterisk PBX
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 891227 891228
Changes:
asterisk (1:13.20.0~dfsg-1) unstable; urgency=medium
.
* New upstream version 13.20.0 (Closes: #891227, #891228)
* Reorganize upstream GPG keys
- Split individual signing keys in separate files
- Add new key for Ben Ford <bford@digium.com>: 0x073B0C1FC9B2E352
- Add new key for Joshua Colp <jcolp@digium.com>:
0xCDBEE4CC699E200EB4D46BB79E76E3A42341CE04
* Fix missing/broken Closes: in previous changelog
* Install realtime database schema into asterisk-doc
* Point Vcs-* to salsa
Checksums-Sha1:
b552791e29e539d5147d2a597ce1397c6431588b 4239 asterisk_13.20.0~dfsg-1.dsc
a3fdada38e44765370c3c77cad24f688abec1b92 6275676 asterisk_13.20.0~dfsg.orig.tar.xz
93ce3bfc83fdadfe6545f643aced8239d832b1e9 136328 asterisk_13.20.0~dfsg-1.debian.tar.xz
4a929b8f51be364bd64fe882bbe2ed7b930916a6 27997 asterisk_13.20.0~dfsg-1_amd64.buildinfo
Checksums-Sha256:
94773b221c73a63491e050b26214e901a4338abfff4dcbe6fc48a1a8566a96ef 4239 asterisk_13.20.0~dfsg-1.dsc
e90da610ebeadb1cc5924a58b5bf962d3d660dcf0a2b7862504a6cc4e7e14d66 6275676 asterisk_13.20.0~dfsg.orig.tar.xz
dad474a3483519aa1983156e80f9dc7410958d8d347962a1e5dc822e613b06bd 136328 asterisk_13.20.0~dfsg-1.debian.tar.xz
64ac712184a00fc354ae017fd86e4f237f61a1c6ea641ab22f89f08ccdb7584c 27997 asterisk_13.20.0~dfsg-1_amd64.buildinfo
Files:
e8a3da57b2a48aa64c789c692aae58a8 4239 comm optional asterisk_13.20.0~dfsg-1.dsc
5794d9b469ed78fa0c2234129249d041 6275676 comm optional asterisk_13.20.0~dfsg.orig.tar.xz
6598b3f0655200952dcd83a625db06dc 136328 comm optional asterisk_13.20.0~dfsg-1.debian.tar.xz
af9b05c2e1b1a0266dd3daa31e298f30 27997 comm optional asterisk_13.20.0~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlrDcZ0RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPQsQ//bPjCE9rZ0Jq6e2G9FxfKZQ8gKk5OFtnk
n9EK1Teezoqkrp4H09iKVPL4OIkz3cCwJJRqzZd506vVBoqyVcUuhxXQs50kE2Va
SJ+FY03zGNoajAmjJLkGBe35dxnABCmHMtFtoODubNBVB2+Bn4lO//Voz+b9Bmoa
QMCs1OkefHmnF2AcJkaf9E8GadM3FqPjr0NkoW/JP1h/tBRnA5clX/qNHO6rMUCI
nuwaZCAneuFRmxXtbUSvBGapObssenzyIFHU/HjWJSQxjexL5wDc8rVzg9ZUdBuh
4+izVe5ICHCbrBaRBfClG2rp4WtsfZxZ4Csylsb1j6ORmyyMvG+CEoSchjTnqvNR
oRb2RQzJr9odwPTaRLho0TPXflrmna80ByOSyuKbxmY/bgKjxGlAE+eZDk68Evvb
JjJKd+Dpl/VLXTvhlw+QeQF93R7E/mLVxMAteqrBhYzrMNUX/H+7vvauvoElczan
OYNqyP8Euy1CgJk7aeJYeqO6JEOrL+g3H8SYJRBlneaUdly7P/MVeB4TwGRwlryZ
ob2ikFTtGBljJg2j4LXpklrNRoRVdxmkeAOSOmz+gLAELa+h/mjPsqMybhxmPdYL
6ZkqKHOqBOeDuB+9Dn2CBjZGD0zhUWmLSa5FKKun5EnFHoOfdvkL+oQaIKINkFB6
1CD4hW+9YXU=
=rU52
-----END PGP SIGNATURE-----
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Sat, 20 Oct 2018 09:48:35 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Oct 2018 09:48:35 GMT) (full text, mbox, link).
Message #17 received at 891228-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.14.1~dfsg-2+deb9u4
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 891228@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Sep 2018 23:24:10 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.14.1~dfsg-2+deb9u4
Distribution: stretch-security
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 891227 891228 902954 909554
Changes:
asterisk (1:13.14.1~dfsg-2+deb9u4) stretch-security; urgency=medium
.
* AST-2018-004 / CVE-2018-7284: Crash when receiving SUBSCRIBE request
(Closes: #891227)
* AST-2018-005 / CVE-2018-7286: Crash when large numbers of TCP connections
are closed suddenly (Closes: #891228)
* AST-2018-008 / CVE-2018-12227: PJSIP endpoint presence disclosure when
using ACL (Closes: #902954)
* AST-2018-009 / CVE-2018-17281: Remote crash vulnerability in HTTP
websocket upgrade (Closes: #909554)
Checksums-Sha1:
9a3d0f011044550d59f6bf8e2923c431397c4e2e 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc
d5d169d9367ec8d67cc3aa9f07fed12d0400c050 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
64bbea1c48356a6dd0c687a3b1fcc939388260af 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
Checksums-Sha256:
fae9d4d830d8c45e6c294a27db8c8133bb84671e60a29876416abce9cabdc878 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc
4a2bbbcd52004c4b3a5a829335737871f0f316cc5998f303b74243858c252255 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
ca23a882cdb0309c2f412598a28cddb950cdecae8acf80bb7d311b4332ac9301 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
Files:
8a617142c87fedca32b83bee1dab0c83 4133 comm optional asterisk_13.14.1~dfsg-2+deb9u4.dsc
e6fe8549c46eefceb013bd4ff2fba769 154060 comm optional asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
b7e962fcb77a55234f6e21e240ede4b0 27619 comm optional asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlvDtFkRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOXlA//Wa/OyyBpgrTSLo0jtgPuvvkzQaUjai8Q
m00ggHJWacLlNj5fFHzUthWuoC26Sy31QziXfBoUBiJ/T8IMOruNh4cs5F0Uw/qA
14PO9irEivgq1aGzPMqJLMXiZofpJU3dz4Jm9hsGCZwtY9SX4k9UroMZYPxaUbIm
wCJ7c+ALOjv1U+aTDTWDQg8h4t1G6MdyBpaughVkuddfx0Sgxf17DNrbq1+OKpTC
P8Z7PAijrWZPuxMyvEkbF5UgbU4B3Kw28kymSMdJhMRHNEuAyE4EmDlnifSwo5a3
Z3O+lW8eN4Y+HhuwPQW+ILdzG/wM8LwBvtMxoF7dSxnh4kg7gWPO9LaQsmuhZoyn
bVrMmRG4M1hryu/1fUh45wH+xuY3ajYJ0G8LXhenyAILyazmI8PKwj7ZGr0JZCl7
bTKLU1rZ/DTuebMG3J6nw6+uykAezWClg/KI5jaZEchxv9eMg2HEigG7wGbDydwh
YmkD7h6NmpM2tw+7+DOoCJvtZWgNAY3vc+9dApGGDJeUVfDV1KfQPF7aSMCHKhF7
2WL9tpvVStVAvKUQUHKyz517eHPVE4GeejLVnwdB9kF2C0koEzfUbY5cFO1wW8Q0
Dt2/LKqa1W452g1iJadnDmIRx2Ry0rWXHQOOk74x3us+w6HLgp5AeAHbwbKecADa
UTCgAhtIYE8=
=m3FA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 18 Nov 2018 07:26:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:54:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon