Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

asterisk: CVE-2023-49294

Related Vulnerabilities: CVE-2023-49294   CVE-2023-49786  

Source

Debian Bug report logs - #1059032
asterisk: CVE-2023-49294

version graph

Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 19 Dec 2023 15:27:02 UTC

Severity: important

Tags: security, upstream

Found in version asterisk/1:20.5.0~dfsg+~cs6.13.40431414-1

Fixed in version asterisk/1:20.5.1~dfsg+~cs6.13.40431414-1

Done: Jonas Smedegaard <dr@jones.dk>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#1059032; Package src:asterisk. (Tue, 19 Dec 2023 15:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. (Tue, 19 Dec 2023 15:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: asterisk: CVE-2023-49294
Date: Tue, 19 Dec 2023 16:25:32 +0100
Source: asterisk
Version: 1:20.5.0~dfsg+~cs6.13.40431414-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for asterisk.

CVE-2023-49294[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1,
| as well as certified-asterisk prior to 18.9-cert6, it is possible to
| read any arbitrary file even when the `live_dangerously` is not
| enabled. This allows arbitrary files to be read. Asterisk versions
| 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to
| 18.9-cert6, contain a fix for this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49294
    https://www.cve.org/CVERecord?id=CVE-2023-49294
[1] https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
[2] https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. (Tue, 19 Dec 2023 17:51:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 19 Dec 2023 17:51:05 GMT) (full text, mbox, link).

Message #10 received at 1059032-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1059032-close@bugs.debian.org
Subject: Bug#1059032: fixed in asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1
Date: Tue, 19 Dec 2023 17:49:28 +0000
Source: asterisk
Source-Version: 1:20.5.1~dfsg+~cs6.13.40431414-1
Done: Jonas Smedegaard <dr@jones.dk>

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1059032@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 19 Dec 2023 17:38:11 +0100
Source: asterisk
Architecture: source
Version: 1:20.5.1~dfsg+~cs6.13.40431414-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 1025165 1059032 1059033
Changes:
 asterisk (1:20.5.1~dfsg+~cs6.13.40431414-1) unstable; urgency=high
 .
   [ upstream ]
   * new release
     + fixes these upstream bugs:
       CVE-2023-49294 CVE-2023-49786;
       closes: bug#1059032, #1059033, thanks to Salvatore Bonaccorso
 .
   [ Jonas Smedegaard ]
   * fix enable opus codec;
     build-depend on libopusenc-dev;
     closes: bug#1025165,
     thanks to Paweł Bogusławski, Faidon Liambotis and Athos Ribeiro
   * set urgency=high due to multiple security bugfixes
Checksums-Sha1:
 6470cb3ac2d53fb4acb745a07a9112441a0df273 5308 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.dsc
 450b21cbdd4f92f333b02d202e445b443acb0b2a 11268 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xamr.tar.xz
 96bf3ae2008bc5a46c9f894651110db771dc91a3 21936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xmp3.tar.xz
 efd36da4be8883797c8ccb0ca1a41b933c1f19c9 22548 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xopus.tar.xz
 f03bb9131eb5f988152a8881a8b39299975c5296 5841276 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xpjproject.tar.xz
 092f5108c568d29b6c68bd9791bf1e831df74890 7299936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig.tar.xz
 d091fd659096acf2a82e6bcde1a0396b8ffdbcff 134696 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.debian.tar.xz
 0e8958ab6528c281d9fda05bd77c6ea0e707b323 26812 asterisk_20.5.1~dfsg+~cs6.13.40431414-1_amd64.buildinfo
Checksums-Sha256:
 e52ed4aacc691c4058a88c378bf5a3d4e58f9be65d2e4083ca5b78cf05c4efea 5308 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.dsc
 ba0e753d9e008ad4d55c112dd0dd628fa3ce57e85f7ca5ff117fdc47e90021d8 11268 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xamr.tar.xz
 7392b3cc01080322460f028363dba477df3ac25fe9dc25d3aaae20a2d6177e95 21936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xmp3.tar.xz
 1dc2659ade0eb9207a5d22df188690d1528e74374f1e0dbef4a74d824c90c9cf 22548 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xopus.tar.xz
 407791807c8d5fcceb86a131e59c03ff31fa88261ec0f190489de91ef6a40196 5841276 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xpjproject.tar.xz
 676204da0f0f2ff3767ae9c9021790f6ca86b3df912edff56dd15ca6857866c1 7299936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig.tar.xz
 46905399c7631c755feaefcbdf0c8d3a08f7654a3472fdefcf641835fc0e92ea 134696 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.debian.tar.xz
 b756e165858633b74865a8f1aee438d7fd66b3af0e5e0246a93e36b15c2318e8 26812 asterisk_20.5.1~dfsg+~cs6.13.40431414-1_amd64.buildinfo
Files:
 2dc1736853804ff4442967079c07c00f 5308 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414-1.dsc
 2f288da7d163b555955e1351203cb972 11268 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xamr.tar.xz
 e36d4f45ad47523be5f21a88e8b6c0d8 21936 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xmp3.tar.xz
 a28346e11689859feea371218e977f53 22548 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xopus.tar.xz
 a78abc4cc71ec9824d88199aa0166bf5 5841276 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xpjproject.tar.xz
 efc62ae650319ee435fa918fbb2e228f 7299936 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig.tar.xz
 0ca4f3f23d0680c9bef4ee3e72d4b516 134696 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414-1.debian.tar.xz
 166c928c49e8f3ce2c18d18ffebab5bd 26812 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmWB0rIACgkQLHwxRsGg
ASGr0A//VULrbnQUUoY3VpRfk6LEDjK8frynkJVHefbfftz9HFkt+tHH+F6laQSo
EMk/45vRewmkJS48BY5on+PF1imI6sSVsczU7eE05SHQyDL9FQ4TJ98Ly7AlZRmk
ZMrJ9h6WJv72au8lbqy1+JD7ia6MBv6vb1jUL3XejAgRjXp17bH9X6PEHFuM061A
F3lLFJqzY/gxMtUpcxA+jJbZSTpWf3e7JkpF8h/yhhLTfISeyy0b/GYB6Nr+xCem
XMPJDQxsqXjdZvblc1tf5lTSwBOxeFHDTxQwRBMeNV2Slzx8qZRr8RNgfL7j2vnu
HmesRfF7RzC+VapZSYQIcaFXkXTV0RDuObWiUlCULYzZ4eO1PUh5K4vd6uibf2nS
DHga9D0L8hYehwrlcCDar42yqj9CIdfHMsaFoeW5GKZKqL0ICMZlkUqD5nGs6+AW
q8iAfbPuHE1N/zg1yzZ6XJ5Tz5o04neOiLrKHMlRMPMpCFcOggnJGJAkflrsCQCP
+PlTYBIQ4z27ngys2jD0tPNEUZZKFgQpuMIb7hSmmXqlqxadsSQVNj7QzoscfbpL
Qb6+gvsCNjswoN7uSLIUIuVHa57LbXkm0e8dKONsF7rnIXaSOEDXc6kxJxkyv3kH
i+WMWunCd95two0tCUb8rSQ51G7xmhz3hQJJN16eao8zw+Dx3hk=
=vDy2
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Dec 20 08:18:26 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started