Debian Bug report logs -
#873909
asterisk: CVE-2017-14098: AST-2017-007: Remote Crash Vulerability in res_pjsip
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#873909; Package src:asterisk.
(Fri, 01 Sep 2017 06:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernhard Schmidt <berni@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Fri, 01 Sep 2017 06:33:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:asterisk
Severity: important
Tags: security
Asterisk Project Security Advisory - AST-2017-007
Product Asterisk
Summary Remote Crash Vulerability in res_pjsip
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate
Exploits Known No
Reported On August 30, 2017
Reported By Ross Beer
Posted On
Last Updated On August 30, 2017
Advisory Contact George Joseph <gjoseph AT digium DOT com>
CVE Name
Description A carefully crafted URI in a From, To or Contact header
could cause Asterisk to crash.
Resolution Patched pjsip_message_ip_updater to properly ignore the
trigger URI.
Affected Versions
Product Release Series
Asterisk Open Source 13.15.0
Asterisk Open Source 14.4.0
Corrected In
Product Release
Asterisk Open Source 13.17.1, 14.6.1
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2017-007-13.diff Asterisk
13
http://downloads.asterisk.org/pub/security/AST-2017-007-14.diff Asterisk
14
Links https://issues.asterisk.org/jira/browse/ASTERISK-27152
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html
Revision History
Date Editor Revisions Made
August 30, 2017 George Joseph Initial document created
Asterisk Project Security Advisory -
Copyright (c) 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Marked as found in versions asterisk/1:13.17.0~dfsg-1.
Request was from Bernhard Schmidt <berni@debian.org>
to control@bugs.debian.org.
(Fri, 01 Sep 2017 06:39:08 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Sep 2017 06:45:07 GMT) (full text, mbox, link).
Changed Bug title to 'asterisk: CVE-2017-14098: AST-2017-007: Remote Crash Vulerability in res_pjsip' from 'AST-2017-007: Remote Crash Vulerability in res_pjsip'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 02 Sep 2017 17:15:04 GMT) (full text, mbox, link).
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Sat, 02 Sep 2017 21:18:28 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>:
Bug acknowledged by developer.
(Sat, 02 Sep 2017 21:18:28 GMT) (full text, mbox, link).
Message #18 received at 873909-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.17.1~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Sep 2017 22:34:09 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.17.1~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-tests - internal test modules of the Asterisk PBX
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 873907 873908 873909
Changes:
asterisk (1:13.17.1~dfsg-1) unstable; urgency=high
.
* New upstream version 13.17.1, fixing three CVEs
- CVE-2017-14099 / AST-2017-005
Media takeover in RTP stack ("RTP bleed") (Closes: #873907)
- CVE-2017-14100 / AST-2017-006
Shell access command injection in app_minivm (Closes: #873908)
- CVE-2017-14098 / AST-2017-007
Remote Crash Vulerability in res_pjsip (Closes: #873909)
Checksums-Sha1:
585568086378cc058e946cb922a082a2664f2873 4268 asterisk_13.17.1~dfsg-1.dsc
adb89838e59308fe05bc60693bf01df6b8cfb2f4 6227588 asterisk_13.17.1~dfsg.orig.tar.xz
4401b3804b6f69ef0686266b9b452e1649baabef 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz
4b26a0714b0c6f46df9910656391e2a00d0faab9 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo
Checksums-Sha256:
754e2320c060563da2ae69f5948aaff41abca712d94759fd7f40cf3e3de01144 4268 asterisk_13.17.1~dfsg-1.dsc
c508880b2ee165016074d75347aa2df00fc88a730db7dc1a8cf1b895e9e8a3ad 6227588 asterisk_13.17.1~dfsg.orig.tar.xz
9722c7c60709d1ddc26d866d3283213f6797b6f7ab9a180dc51fd7c7219af6ec 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz
05f498e47a90b1fa6f81964062c76511d37d333152620e16e5f42ca60bf8e23c 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo
Files:
869d4a0e0654952f2555b89be8d05062 4268 comm optional asterisk_13.17.1~dfsg-1.dsc
a1a52404f8938ede9204750c6f5b69db 6227588 comm optional asterisk_13.17.1~dfsg.orig.tar.xz
e97d792679034e7a0a29ffb7538a192d 168376 comm optional asterisk_13.17.1~dfsg-1.debian.tar.xz
3c9577153eb8824c2ee7fea8df17bade 27034 comm optional asterisk_13.17.1~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmrF64RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJP4/w/+OZb8R2GFu1pkJQ5ZqMrtHx+IZNNM8wTL
6sb3N1b+tAEe9Nb7pARwb100+wyib3S0uIo78kad3VLvXaDGpMjmJVsSptRd0Qy/
M9PNW7vojmXdJTRc5jxbiwhWpKpX1kaq1VIWXhJo/mxVEhaAt15pzbt47heEqyo2
BmzOtGHONyGQG+m9tO4IPIWcpDsgXFc8i5+loROw/WyGxI2k57pJh4jDhPsOMLoN
PySDya/Peqi+q60Iy3IHeXDvt39vgTEMUo48fG1PC2Sy6zntN0IIYl/oKmlRZ453
tNQzGYZbxX08fqMMQf7mtvpPcGmYZNdZD5ogthA0uW1MKoQM5h6S+ah/pz52HrDn
fSwlwXtRvdYwQkGu8jBv2crerhly0C5pyiK7+CDYoTdRittTH5O1uQP6c5H0hV5C
GVKMbG877rbPrI2N1sFXDggM9T1zJ/c73HqC6ecB9DG+jcxdidju9lV4sYJWw9cM
b6j9AOwXW6uWZhXZJP+1jxsib0f1acNT0NyHjHASXlbv5lZPVwtpIkg7Ed89fH/k
V0SSMrpF2ZA49aUdcff7BcesDqwYcDCJBDaEewzFJYzRleUtMQmImJKXd4f1c5uA
O0zCPja7RPRQHpVQOxqUxZfUqDCJR6oWPhLuMJBMsJH3vKHoqnfpDjmxxMR8izEd
YN2nioAGtFQ=
=5py3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 Oct 2017 07:25:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:54:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon