[SECURITY] [DLA 1122-1] asterisk security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1122-1] asterisk security update
From: Markus Koschany <apo@debian.org>
Date: Thu, 5 Oct 2017 15:03:23 +0200
Message-id: <[🔎] 4ca5024e-7c5b-47f4-9781-7197e3d54be5@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : asterisk
Version        : 1:1.8.13.1~dfsg1-3+deb7u7
CVE ID         : CVE-2017-14100
Debian Bug     : 873908

A security vulnerability was discovered in Asterisk, an Open
Source PBX and telephony toolkit, that may lead to unauthorized
command execution.

The app_minivm module has an "externnotify" program configuration option
that is executed by the MinivmNotify dialplan application. The
application uses the caller-id name and number as part of a built
string passed to the OS shell for interpretation and execution. Since
the caller-id name and number can come from an untrusted source, a
crafted caller-id name or number allows an arbitrary shell command
injection.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.8.13.1~dfsg1-3+deb7u7.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlnWLZtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeT30RAAxy1GCwn6sUNgQuw7uprpVWmQenRGe20K41oKtRqyDRvlZ0LWyutOL/lf
kagFYjxZNERC56qPNjhfnn3+mdBf75r7IzEup3+ygy7KdmcPM6WWEtDbl2+B6Cxx
jzvZ8ZcMeHbeod6uWnk/ZzUvNdR/O6XmzyaRpJs+mrjrMxoycLMojdniWQeLN6qn
aQ8X5lMkLiIfASoNF0ghJV89AuPugEu9gKnC4Ysew02R4W44/+nvWoEjlL+kgFrw
9wN5drUSFe/pg7PxaR1b/Yis69xBw923xufwi5zoduVcsrytzJ4BZ+f17VQO9LAT
AWM6ohkuivSkDjTHmpJvujTgoQSP5I98puH6Xkok9Y65AD36NkfPVW/MmYFjd+xV
3znH6Gp5S4Ns3fPuivEuC4FR1Ov6WCJlO8CD/pLtShEZn4pwa3V6PjzthmZsD3mm
02sFptzp8IhFN7QJiwwjrAI+v1bbivhdr7c9Q5RVgRJ5bpRYc2/zcQi0umZMcAgY
6F+2ZTR8SWZm0kiiGTBBNBGtH9MVuqM4jBGkk+9slVLME4VUUpCTxLfuwvd3Z+6T
4hhEfGM7v19cXIZSEyVxVeVMeDgLbR8At6jOI1nLZ3RoVzsBq/DUw7q5CFxkMsCe
y7/nYgIxF7yDojLdd5ctzm8wRx3a3YrNQZE+6jz2MrQCbR6hmtU=
=nbBW
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1121-1] curl security update
Next by Date: [SECURITY] [DLA 1123-1] golang security update
Previous by thread: [SECURITY] [DLA 1121-1] curl security update
Next by thread: [SECURITY] [DLA 1123-1] golang security update
Index(es):
- Date
- Thread