Debian Bug report logs -
#931981
asterisk: CVE-2019-13161: AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
:
Bug#931981
; Package asterisk
.
(Sat, 13 Jul 2019 08:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
.
(Sat, 13 Jul 2019 08:57:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: asterisk
Version: 1:16.2.1~dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-28465
Hi,
The following vulnerability was published for asterisk.
CVE-2019-13161[0]:
| An issue was discovered in Asterisk Open Source through 13.27.0, 14.x
| and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified
| Asterisk through 13.21-cert3. A pointer dereference in chan_sip while
| handling SDP negotiation allows an attacker to crash Asterisk when
| handling an SDP answer to an outgoing T.38 re-invite. To exploit this
| vulnerability an attacker must cause the chan_sip module to send a
| T.38 re-invite request to them. Upon receipt, the attacker must send
| an SDP answer containing both a T.38 UDPTL stream and another media
| stream containing only a codec (which is not permitted according to
| the chan_sip configuration).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13161
[1] https://issues.asterisk.org/jira/browse/ASTERISK-28465
[2] https://downloads.asterisk.org/pub/security/AST-2019-003.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Bernhard Schmidt <berni@debian.org>
:
You have taken responsibility.
(Sat, 13 Jul 2019 22:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 13 Jul 2019 22:21:08 GMT) (full text, mbox, link).
Message #10 received at 931981-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:16.2.1~dfsg-2
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 931981@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Jul 2019 23:47:36 +0200
Source: asterisk
Architecture: source
Version: 1:16.2.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 931980 931981
Changes:
asterisk (1:16.2.1~dfsg-2) unstable; urgency=high
.
* AST-2019-002 / CVE-2019-12827
Buffer overflow in res_pjsip_messaging (Closes: #931980)
* AST-2019-003 / CVE-2019-13161
Remote Crash Vulnerability in chan_sip (Closes: #931981)
Checksums-Sha1:
cdbeb14a663de46f57f9e4a3cf613d0d354f6c54 4232 asterisk_16.2.1~dfsg-2.dsc
817209bff2e126e4127114361f3791a93bc48b01 3764716 asterisk_16.2.1~dfsg-2.debian.tar.xz
f9e25407c92b65a324f81f080a84763f83931939 26875 asterisk_16.2.1~dfsg-2_amd64.buildinfo
Checksums-Sha256:
b90c39aea64e831356f3126673fe6f46189f7008717d68df8d5d887a4169694d 4232 asterisk_16.2.1~dfsg-2.dsc
45a2a8d75c929eb140126e10c9d58507a738d3153504110227b5aab025217a9e 3764716 asterisk_16.2.1~dfsg-2.debian.tar.xz
124729ccb0a84a44ac04178dbd6b7d36118ceefe2b23a95243a879e6ab4cc90c 26875 asterisk_16.2.1~dfsg-2_amd64.buildinfo
Files:
a75d6fa387b94da189220bdc9596ad08 4232 comm optional asterisk_16.2.1~dfsg-2.dsc
62ad0dc7550aeed7d522fc42c384e333 3764716 comm optional asterisk_16.2.1~dfsg-2.debian.tar.xz
86ea61de1e041a3b39105357f86c945d 26875 comm optional asterisk_16.2.1~dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAl0qU3cRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNTPQ//fRBWTjeFfkD/UKIGzKa30aa4VLcwuk00
yP1Nx+czdI1rTspKwbrk7bhdknYQ3UD5NEps0xHkNTMUh/yDCe4hvd9yHCEQ0Cei
/9LKbIXdGGH6mqJVf0dokGTujMy0UuceovUTWcsUSK5+OzZhN3cRBng2to1QX2Vm
6QIrrRXIm1S+CGHH5pLsGeflY2r2m+kdZjaqj5fKXcF5cY6Xm2gydyCwlZjxGzr9
PV+TJFIxreud6PYrmCIoW9T/vR5SWjPpLkdMpLLOJVylqv8pWrBlKnzaRFe/S4wr
PsDphSk1k9+ICWYUxcgRXAw4VeXUv3NXP+Hx4kIlNzCJ8lCnxyR+T5cUYaAKwLhi
8nnoB1VJOnhaDs8y/HwjOgaBAlHkgkVrpFeaa30dujN53XSIcXZqXMzBnK+quz9l
n54dV3Xe23sIjqdJOOEMk6O2LF+uwOZnFEJFER32jh544YqWm4UqLNYXEoyp40lc
/hs/+bwFCvornNCsFW2NMtVurhXT5/UsnKqa9/iyIByOCwPNVHMKIXQ3eevPSYhe
w2gOHyyh9RQyUMjJHeT28jB7CEa1BXK9wFFIv6veyLNmdSxxe6ydLtvp9Dlx1SMh
EpjzezDynUhP5aUM48m02e07dizRSBS1xb46M+fOO4a7OqbJz0ZMxWdIfikwWWnC
4Z3HyIvsqms=
=caDP
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 14 11:21:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.