[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2969-1] asterisk security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2969-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
April 03, 2022                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : asterisk
Version        : 1:13.14.1~dfsg-2+deb9u6
CVE ID         : CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 CVE-2019-18976 
                 CVE-2020-28242 

Multiple security issues were discovered in asterisk, an Open Source 
Private Branch Exchange (PBX). 

CVE-2019-13161

    A pointer dereference in chan_sip while handling SDP negotiation 
    allows an attacker to crash Asterisk

CVE-2019-18610

    A remote authenticated Asterisk Manager Interface (AMI) user 
    without system authorization could use a specially crafted 
    Originate AMI request to execute arbitrary system commands 

CVE-2019-18790

    A SIP request can be sent to Asterisk that can change a SIP peer's 
    IP address. A REGISTER does not need to occur, and calls can be 
    hijacked as a result. The only thing that needs to be known is the 
    peer's name; authentication details such as passwords do not need 
    to be known. This vulnerability is only exploitable when the nat 
    option is set to the default, or auto_force_rport.

CVE-2019-18976

    A NULL pointer dereference and crash will occur when asterisk 
    receives a re-invite initiating T.38 faxing and has a port of 0 
    and no c line in the SDP

CVE-2020-28242

    If Asterisk is challenged on an outbound INVITE and the nonce is 
    changed in each response, Asterisk will continually send INVITEs 
    in a loop. This causes Asterisk to consume more and more memory 
    since the transaction will never terminate (even if the call is 
    hung up), ultimately leading to a restart or shutdown of Asterisk

For Debian 9 stretch, these problems have been fixed in version
1:13.14.1~dfsg-2+deb9u6.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJJNyUACgkQhj1N8u2c
KO9wrQ/8Ch7nPJrAS3Zr4TMeETjAaEOJ1oTg2VFo96SVhOGMhveqDCBpF2sj5U19
IzbXlK6zqgS4lM/xdvQQ7z5RuDuctIJ3/c8GKVDWbwpqY+AFNaDLhm+a8YHrLmVr
kn2w10BdqTMH2q/ZsXHjAyiLcwAzGjQ879ByPt7heMSydZitJ+6BRICkExiJUtA4
hH/6UL1yFpLd4nisCa060Les7k4xf0uWknuGdcOi2beuAL6qheObsx3qEZ+vsQl6
VCBPBcSDpH0XTduvxLDDqt5TQp6bh5lUxzjGDMNXHmdvYkS5adT+oDtNGNn4ZCaq
V6g1zkCkpwZGijG0//SY3F8LOqjNbWimQnlY2K82hj1WejtdLXMa9eFV4Fk8Ir6E
GVsl7z67i770rCFYDfVFaMMD0aclwocpgfpCPteYHBfE1773CQs60b8yigLxoGw9
XT+VaPJY/e+ZXOGvENB2MVXvc0pB3RfqwFikfJXdPrN2V9Ye6ZLwYT7xjjlQ9ECj
abxBIBCmD0zHN1Q/w454oGgC9DCYLeFaXIq9PzTUCPb2wQt2y1PvaXTvq6ZgFBtB
hBJvTFbuBh/Xihk9A95a6kRjONZmOpxI0uIcCUL7DARsh6c+jvHZNR2zEglbdzpF
V4zR6nbyeecficAtJIoqBfOvNgX8+EC7EwjPxQ3yc/ON9HMgytY=
=O97K
-----END PGP SIGNATURE-----


Reply to: