Debian Bug report logs -
#909554
asterisk: CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 25 Sep 2018 05:27:01 UTC
Severity: grave
Tags: security, upstream
Found in versions asterisk/1:13.22.0~dfsg-2, asterisk/1:13.14.1~dfsg-1
Fixed in versions asterisk/1:13.23.1~dfsg-1, asterisk/1:13.14.1~dfsg-2+deb9u4
Done: Bernhard Schmidt <berni@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#909554; Package src:asterisk.
(Tue, 25 Sep 2018 05:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Tue, 25 Sep 2018 05:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Version: 1:13.22.0~dfsg-2
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for asterisk.
CVE-2018-17281[0]:
| There is a stack consumption vulnerability in the
| res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x
| through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through
| 13.21-cert2. It allows an attacker to crash Asterisk via a specially
| crafted HTTP request to upgrade the connection to a websocket.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17281
[1] http://downloads.asterisk.org/pub/security/AST-2018-009.html
[2] https://issues.asterisk.org/jira/browse/ASTERISK-28013
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions asterisk/1:13.14.1~dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 25 Sep 2018 05:33:02 GMT) (full text, mbox, link).
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Tue, 25 Sep 2018 09:33:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 25 Sep 2018 09:33:09 GMT) (full text, mbox, link).
Message #12 received at 909554-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.23.1~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 909554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Sep 2018 09:59:08 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.23.1~dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-tests - internal test modules of the Asterisk PBX
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 909554
Changes:
asterisk (1:13.23.1~dfsg-1) unstable; urgency=medium
.
* New upstream version 13.23.1~dfsg
- CVE-2018-17281 / AST-2018-009 (Closes: #909554)
Remote crash vulnerability in HTTP websocket upgrade
* Add lintian overrides for modules
Checksums-Sha1:
32db7e38d4fc81b96069160ca313d56f75d5dfb3 4239 asterisk_13.23.1~dfsg-1.dsc
cd5d34dc001e15da3f8fb79276a3bd3e250cd568 6329096 asterisk_13.23.1~dfsg.orig.tar.xz
541ebff3b20d353df2993dea839a5f0129d1853d 128332 asterisk_13.23.1~dfsg-1.debian.tar.xz
70958c055d4e98cb599915409bbd4a53d29efc9d 28317 asterisk_13.23.1~dfsg-1_amd64.buildinfo
Checksums-Sha256:
219ece13e1c15a59902c4ceb1711f1efb6b560925aacd298c6ad6f20d4882243 4239 asterisk_13.23.1~dfsg-1.dsc
7b785eeb9e7aab164eac3a0ae66dabf151fc3cb070ed3f08fc4c39ade2a0b3bb 6329096 asterisk_13.23.1~dfsg.orig.tar.xz
49cf92228a2e65429fceed8dbad01953b25a7e7c29843c6d3b5469cfa03e3c5e 128332 asterisk_13.23.1~dfsg-1.debian.tar.xz
71d611103613256bba7e8e45c98e5c629b36296a2f2ecfa5ee5f804b56ada017 28317 asterisk_13.23.1~dfsg-1_amd64.buildinfo
Files:
b05cb26a24e80ecac4a8bbe5181b5d1b 4239 comm optional asterisk_13.23.1~dfsg-1.dsc
095b4d9885d12e31732f6a57ef8a7989 6329096 comm optional asterisk_13.23.1~dfsg.orig.tar.xz
ffbbaa98c2d1364efab5b0c8351bf379 128332 comm optional asterisk_13.23.1~dfsg-1.debian.tar.xz
0fce047a79045f1946f240ca7820eef7 28317 comm optional asterisk_13.23.1~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlup9GARHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJMfqA/+LxqgosPvRiln6JwhmVSUJ82Jy5HEqf7N
90Ya+RrnpDVu7UVRKDkXV5A+UCaYwV9tESbGjWIoI2dLtMi37usPxdHxAN8H8jpk
MCcSNCsYE/nNu1v9Xw343956ExTXjCO37EDd7UrPwAMT6RoJqm4Zfzwx+wdO5rhv
1L9+aYQtjcd8yz3QqpvuJNAc4OZVNBpKSnQGIOB66sVSBLmcQldB5diTlfn9SLjB
O/IpMOxbqg0LdVtZZo1i7irX3VPBAkwE9XpgAXTTzZlidWVj3S9H3Gf1XSSm1LTs
FcpyceEdf4MB7kshQraLqhs7xGIDn871/7Wf6Vvg/oS6WJ+tCFExIkhPCcVZcFZV
FerBdpYIp5mQsjK6oQM/h419CMs8HXM0Tgj5DSO7B+IxMldW/Umy0DrnoPRrP0Cz
1UMbWfrwRX40aVm15dUyhhPdegJrV9FgxeGLyqm03T919wVG3Wz1h4+ieQ9dTWqt
5CQXkTzsL6PLE638t8cr4kVUgLgYI1xt3X5sqshNVsRkjGBIfFOqhH2crO1fpJMD
XBIi91JIlt4SMEfpF+oSR9bjzGvUgIGa8v68HQ/1a3vBE1ay0ADoMjSzPKjgtqNF
NTRA9moGxSFfsNYsSQHc5J0AfWnc7tjouruk3KwxRl7RM1wcPWYtUxpCbhSjp8oZ
xc1Elmyh5uo=
=MpM/
-----END PGP SIGNATURE-----
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Sat, 20 Oct 2018 09:48:37 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 20 Oct 2018 09:48:37 GMT) (full text, mbox, link).
Message #17 received at 909554-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.14.1~dfsg-2+deb9u4
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 909554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Sep 2018 23:24:10 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.14.1~dfsg-2+deb9u4
Distribution: stretch-security
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 891227 891228 902954 909554
Changes:
asterisk (1:13.14.1~dfsg-2+deb9u4) stretch-security; urgency=medium
.
* AST-2018-004 / CVE-2018-7284: Crash when receiving SUBSCRIBE request
(Closes: #891227)
* AST-2018-005 / CVE-2018-7286: Crash when large numbers of TCP connections
are closed suddenly (Closes: #891228)
* AST-2018-008 / CVE-2018-12227: PJSIP endpoint presence disclosure when
using ACL (Closes: #902954)
* AST-2018-009 / CVE-2018-17281: Remote crash vulnerability in HTTP
websocket upgrade (Closes: #909554)
Checksums-Sha1:
9a3d0f011044550d59f6bf8e2923c431397c4e2e 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc
d5d169d9367ec8d67cc3aa9f07fed12d0400c050 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
64bbea1c48356a6dd0c687a3b1fcc939388260af 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
Checksums-Sha256:
fae9d4d830d8c45e6c294a27db8c8133bb84671e60a29876416abce9cabdc878 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc
4a2bbbcd52004c4b3a5a829335737871f0f316cc5998f303b74243858c252255 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
ca23a882cdb0309c2f412598a28cddb950cdecae8acf80bb7d311b4332ac9301 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
Files:
8a617142c87fedca32b83bee1dab0c83 4133 comm optional asterisk_13.14.1~dfsg-2+deb9u4.dsc
e6fe8549c46eefceb013bd4ff2fba769 154060 comm optional asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz
b7e962fcb77a55234f6e21e240ede4b0 27619 comm optional asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlvDtFkRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOXlA//Wa/OyyBpgrTSLo0jtgPuvvkzQaUjai8Q
m00ggHJWacLlNj5fFHzUthWuoC26Sy31QziXfBoUBiJ/T8IMOruNh4cs5F0Uw/qA
14PO9irEivgq1aGzPMqJLMXiZofpJU3dz4Jm9hsGCZwtY9SX4k9UroMZYPxaUbIm
wCJ7c+ALOjv1U+aTDTWDQg8h4t1G6MdyBpaughVkuddfx0Sgxf17DNrbq1+OKpTC
P8Z7PAijrWZPuxMyvEkbF5UgbU4B3Kw28kymSMdJhMRHNEuAyE4EmDlnifSwo5a3
Z3O+lW8eN4Y+HhuwPQW+ILdzG/wM8LwBvtMxoF7dSxnh4kg7gWPO9LaQsmuhZoyn
bVrMmRG4M1hryu/1fUh45wH+xuY3ajYJ0G8LXhenyAILyazmI8PKwj7ZGr0JZCl7
bTKLU1rZ/DTuebMG3J6nw6+uykAezWClg/KI5jaZEchxv9eMg2HEigG7wGbDydwh
YmkD7h6NmpM2tw+7+DOoCJvtZWgNAY3vc+9dApGGDJeUVfDV1KfQPF7aSMCHKhF7
2WL9tpvVStVAvKUQUHKyz517eHPVE4GeejLVnwdB9kF2C0koEzfUbY5cFO1wW8Q0
Dt2/LKqa1W452g1iJadnDmIRx2Ry0rWXHQOOk74x3us+w6HLgp5AeAHbwbKecADa
UTCgAhtIYE8=
=m3FA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 18 Nov 2018 07:28:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:26:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon