[SECURITY] [DLA 781-1] asterisk security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 781-1] asterisk security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 13 Jan 2017 01:32:18 +0100
Message-id: <[🔎] 7e4dbcea-6b2e-3e40-b8c6-0180557a34d4@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : asterisk
Version        : 1:1.8.13.1~dfsg1-3+deb7u5
CVE ID         : CVE-2014-2287 CVE-2016-7551
Debian Bug     : 838832 741313

Two security vulnerabilities were discovered in Asterisk, an Open
Source PBX and telephony toolkit.

CVE-2014-2287

    channels/chan_sip.c in Asterisk when chan_sip has a certain
    configuration, allows remote authenticated users to cause a denial
    of service (channel and file descriptor consumption) via an INVITE
    request with a (1) Session-Expires or (2) Min-SE header with a
    malformed or invalid value.

CVE-2016-7551

    The overlap dialing feature in chan_sip allows chan_sip to report
    to a device that the number that has been dialed is incomplete and
    more digits are required. If this functionality is used with a
    device that has performed username/password authentication RTP
    resources are leaked. This occurs because the code fails to release
    the old RTP resources before allocating new ones in this scenario.
    If all resources are used then RTP port exhaustion will occur and
    no RTP sessions are able to be set up.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.8.13.1~dfsg1-3+deb7u5.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlh4IBFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRHVQ/+OFc2qZg5TjqR4NQNBf2YJOduUI/uVkfOA/Whx73kXLAqoys6tOqhZD5U
uM/BDuAG3DEWbJDMmmR/u6OR/v2HAWPENOAKtsItDcDCSrPpSrvn7/qQ/yN6D211
30dqx9PqjFUfbkkcyAmK+NP0KLTpjUgBnTDgA9PaDEEf2/56c8QMKwM5viAuk5nN
nP+AvLDedOrctnF4T2WYl+E7deE87Ua/3H90EEdAgfXK6tpExMZJ03RHSLPveYpy
ibjvx6fxdky/L7ofII1haqvdLWh0KHuCDmycc7G2PjnGpNDPO7iLYUZP3A7VAI10
VStKTuLBsea89o2SLvh/C0/g2RrJo1uRV/okh1TYXXNdk3MpCXCKUFTmO/gqF+TW
px4GUXxbneoT/ippVLzcubI7qjqnjV9/tKiZXD1ol9ltNcttQtlD1e99a5qMCQ//
D3MMhl9InQVn3cQQrHahJVWa+qIQ9w+xXBWXFy936Ew/xnxQY6lxpz6TqSbNV87c
liub+EX7CvJLJPNVwFL9mqst6WoaWIaENyOJLTV+IYj7BlSFPVWIV8WktI2Ilmmc
jM1oRlq11tWpBU7p7hI45mANMFBRBrtY+O7gvBQR9WuBM1EMJ081sRrzNoOcW8oH
jzesn1lp+W5xRQEg6UTULPmT3APzF1hZAS7eFIGn7vTEst5YJHI=
=GMM1
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 780-1] libav security update
Next by Date: [SECURITY] [DLA 783-1] xen security update
Previous by thread: [SECURITY] [DLA 780-1] libav security update
Next by thread: [SECURITY] [DLA 783-1] xen security update
Index(es):
- Date
- Thread