Debian Bug report logs -
#1014976
asterisk: CVE-2022-24764 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#1014976; Package src:asterisk.
(Fri, 15 Jul 2022 15:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Fri, 15 Jul 2022 15:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: asterisk
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for asterisk.
CVE-2022-24764[0]:
| PJSIP is a free and open source multimedia communication library
| written in C. Versions 2.12 and prior contain a stack buffer overflow
| vulnerability that affects PJSUA2 users or users that call the API
| `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do
| not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or
| `pjmedia_sdp_media_print()` should not be affected. A patch is
| available on the `master` branch of the `pjsip/pjproject` GitHub
| repository. There are currently no known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m
https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00
CVE-2022-24763[1]:
| PJSIP is a free and open source multimedia communication library
| written in the C language. Versions 2.12 and prior contain a denial-
| of-service vulnerability that affects PJSIP users that consume PJSIP's
| XML parsing in their apps. Users are advised to update. There are no
| known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21
CVE-2022-24786[2]:
| PJSIP is a free and open source multimedia communication library
| written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP
| feedback RPSI (Reference Picture Selection Indication) packet, but any
| app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected.
| A patch is available in the `master` branch of the `pjsip/pjproject`
| GitHub repository. There are currently no known workarounds.
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
CVE-2022-24792[3]:
| PJSIP is a free and open source multimedia communication library
| written in C. A denial-of-service vulnerability affects applications
| on a 32-bit systems that use PJSIP versions 2.12 and prior to
| play/read invalid WAV files. The vulnerability occurs when reading WAV
| file data chunks with length greater than 31-bit integers. The
| vulnerability does not affect 64-bit apps and should not affect apps
| that only plays trusted WAV files. A patch is available on the
| `master` branch of the `pjsip/project` GitHub repository. As a
| workaround, apps can reject a WAV file received from an unknown source
| or validate the file first.
https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799
https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213
CVE-2022-24793[4]:
| PJSIP is a free and open source multimedia communication library
| written in C. A buffer overflow vulnerability in versions 2.12 and
| prior affects applications that uses PJSIP DNS resolution. It doesn't
| affect PJSIP users who utilize an external resolver. A patch is
| available in the `master` branch of the `pjsip/pjproject` GitHub
| repository. A workaround is to disable DNS resolution in PJSIP config
| (by setting `nameserver_count` to zero) or use an external resolver
| instead.
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-24764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764
[1] https://security-tracker.debian.org/tracker/CVE-2022-24763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763
[2] https://security-tracker.debian.org/tracker/CVE-2022-24786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24786
[3] https://security-tracker.debian.org/tracker/CVE-2022-24792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24792
[4] https://security-tracker.debian.org/tracker/CVE-2022-24793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 Jul 2022 18:51:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 16 13:15:59 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon