Debian Bug report logs -
#883342
asterisk: CVE-2017-17090: DOS Vulnerability in Asterisk chan_skinny
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#883342; Package src:asterisk.
(Sat, 02 Dec 2017 16:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Sat, 02 Dec 2017 16:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Version: 1:13.18.1~dfsg-1
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: grave
Tags: security fixed-upstream upstream
Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-27452
Hi,
the following vulnerability was published for asterisk.
CVE-2017-17090[0]:
| An issue was discovered in chan_skinny.c in Asterisk Open Source
| 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and
| Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP
| protocol) channel driver is flooded with certain requests, it can cause
| the asterisk process to use excessive amounts of virtual memory,
| eventually causing asterisk to stop processing requests of any kind.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17090
[1] https://issues.asterisk.org/jira/browse/ASTERISK-27452
[2] http://downloads.asterisk.org/pub/security/AST-2017-013.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions asterisk/1:11.13.1~dfsg-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 02 Dec 2017 20:15:02 GMT) (full text, mbox, link).
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Thu, 07 Dec 2017 15:09:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 07 Dec 2017 15:09:08 GMT) (full text, mbox, link).
Message #12 received at 883342-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.18.3~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883342@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Dec 2017 15:20:29 +0100
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh423 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.18.3~dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh423 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-tests - internal test modules of the Asterisk PBX
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 883342
Changes:
asterisk (1:13.18.3~dfsg-1) unstable; urgency=medium
.
* New upstream version 13.18.3~dfsg
- CVE-2017-17090 / AST-2017-013
DOS Vulnerability in Asterisk chan_skinny (Closes: #883342)
* Drop duplicate filter line from d/gbp.conf
Checksums-Sha1:
8206f7a44506678906afab0e69876fffc132fcc0 4243 asterisk_13.18.3~dfsg-1.dsc
e0b838e5478dfcdac0c20840ec9a77af021b7bf7 6274896 asterisk_13.18.3~dfsg.orig.tar.xz
6711dddc4e56c7d9504e0be511e051988f3d73c8 168724 asterisk_13.18.3~dfsg-1.debian.tar.xz
5bd0248bfe0bfc6758153afa3efe1300e03b3556 27544 asterisk_13.18.3~dfsg-1_amd64.buildinfo
Checksums-Sha256:
871303540da6e8d0cbb9903159d8eab10126ee6849b0701d31c88034bb81303c 4243 asterisk_13.18.3~dfsg-1.dsc
ef99e92fcd77d16e38bc213fcbc9c4d039077dd3a5996e6da33a953a3ba5690d 6274896 asterisk_13.18.3~dfsg.orig.tar.xz
10d414b7adb51ac4c6fcd53c2921bbcd96dd4a46f5fb1c1b23ce438df82d74b1 168724 asterisk_13.18.3~dfsg-1.debian.tar.xz
0720c4d45ec3c6605037bbc6245b2c9f0bd5d0ed198d184b3221e1672e59a5ef 27544 asterisk_13.18.3~dfsg-1_amd64.buildinfo
Files:
932889e86128d672e5821c9cc7daa45b 4243 comm optional asterisk_13.18.3~dfsg-1.dsc
59f6bde377425d2fcc535a5903d805b1 6274896 comm optional asterisk_13.18.3~dfsg.orig.tar.xz
f21e6694b9cd142707955044c3530521 168724 comm optional asterisk_13.18.3~dfsg-1.debian.tar.xz
19bed9820275d8ecae8c20c0c4fc2f6d 27544 comm optional asterisk_13.18.3~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlopU24RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNPvhAAgz7VTzJIFb+ss4u4Pheh7VCaDkafGbV9
qh0jGvILKZBTFLoHTanB8BPXv1lzgl65cMchV+8CcZ9W0uzLhZA2mQAUCC61ZorI
QHvdNse28xka93anfwZPjKVtdqLGSJfggIQzK+X2SYJbywBOuSwDpCzWVlqEKq5i
lPhZdH7wKbZQ1TJt4KZzP/XJjhPfFgcEVgiAmqmhjaDUNQdarYUQIkR4phUWooz5
gY2EniQDqED/etTyyPvADnIgczTZxKFAGSz+QiNyfOtPJahSkVz53pjnsiaRoyi1
QxY92qe3wYycyLagL4Z/OfCSI0XyjbsOqbcsdkVA355u9lgIpVI1KQqO9IoqFnFJ
YSRKEeTEbMf7goeyxHoxk9QfwcpcvTSkWsYlimAtfKxlPveR6IrNLr5wzhezrvN8
kIPHB+rSt1orRoZmTV538NfNjS6GGxgb4DRtVG9cB2I2GF6t8XF0s8SX0XX8H8pS
5qKhbqTO7izxrYG9XPGPhg8MPhXWkuk2Qkye2z4rqKYApZuYpyc76lreDQ0X2M4d
ogyAIUc4Ep3fiBfDkhzzBgYkNs5Yp4cuQR2RC0pl5lzK95fjrTD8dgUAMmoFhiY7
obKJI74deztRnKdsWFa3Sd6isVV0Vl/ae7gbb6gV5EB7lcO7YN0TUxt1DM854xVd
Gpiif/WetRU=
=VpEu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 Jan 2018 07:27:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:08:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon