[SECURITY] [DSA 5438-1] asterisk security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5438-1] asterisk security update
From: Markus Koschany <apo@debian.org>
Date: Thu, 22 Jun 2023 21:52:51 +0000
Message-id: <[🔎] ZJTCswIozRjRIXaa@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5438-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
June 22, 2023                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : asterisk
CVE ID         : CVE-2023-27585
Debian Bug     : 1036697

A flaw was found in Asterisk, an Open Source Private Branch Exchange. A
buffer overflow vulnerability affects users that use PJSIP DNS resolver.
This vulnerability is related to CVE-2022-24793. The difference is that
this issue is in parsing the query record `parse_query()`, while the issue
in CVE-2022-24793 is in `parse_rr()`. A workaround is to disable DNS
resolution in PJSIP config (by setting `nameserver_count` to zero) or use
an external resolver implementation instead.

For the oldstable distribution (bullseye), this problem has been fixed
in version 1:16.28.0~dfsg-0+deb11u3.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSUwnRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRsCxAAuFfItEe6Gyu5VcJqSzHQpy+kfbBD1F6msFf7GnNzx4WiJssF5b4eVC4h
Im6N4tW6S3YfoymUC4chFy9ifeH10HMruAlWik+h4v/TLEaeBps4UF6JmUkF8ra4
ML3NT+vkdaLlFF7jtcDyTZXc0Vhy2wQ51EABX8bd7vUp39UObhZZw6+wJjrT6tCc
P7wwMEOkoUCrg3llX/yvtpHqJiYo6yLrtEaoPpLvl2up6cx9FRvuK7E1B2hhPu0H
oULxjphtz3Xmccw5kViC7zIo588GXCqIQW0/t6Uh0pYT1aWpWAfViMlpOtZx+Pff
pvFJy8Vizyp3MQ3yVZSOMrz68uOenXUkh9BbrdMw8AHbZgk/j8mKFbQhGJNfB209
8BcmibGF3fPr0g6Ux6dGXlWUF1fMeuChmo5dylZhxmI4/M6wd5sqpHv4+RiEOM4X
lROdlRQVToHIBGbwGvFAD7hiv6/wjmOXuY1NafqzCTyX1awMgKcQPqjPrUo1ugWy
IQayIG2RhSKC/x8fUn1fr5+kA/KjvjH7pLtlvr2MWhOWV5ryUtuXdqGp5YWGZV5D
2gA2sGeeGJgmAZfnzW6iY7/EZcLTnF1uWHGEk5cN/FQIObpqTqmSU2KOYWWmUOOV
LAbko9P1aLCUNjj1WOzOMy29nbGBINnQquyW2DkhoaTYW6jjmPc=
=SDbp
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5435-2] trafficserver security update
Next by Date: [SECURITY] [DSA 5439-1] bind9 security update
Previous by thread: [SECURITY] [DSA 5435-2] trafficserver security update
Next by thread: [SECURITY] [DSA 5439-1] bind9 security update
Index(es):
- Date
- Thread