Your message dated Sat, 02 Sep 2017 21:04:16 +0000 with message-id <[email protected]> and subject line Bug#873908: fixed in asterisk 1:13.17.1~dfsg-1 has caused the Debian Bug report #873908, regarding asterisk: CVE-2017-14100: AST-2017-006: Shell access command injection inapp_minivm to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 873908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873908 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:asterisk Severity: important Tags: security Asterisk Project Security Advisory - AST-2017-006 Product Asterisk Summary Shell access command injection in app_minivm Nature of Advisory Unauthorized command execution Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On July 1, 2017 Reported By Corey Farrell Posted On Last Updated On July 11, 2017 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name Description The app_minivm module has an “externnotify†program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. Resolution Patched Asterisk’s app_minivm module to use a different system call that passes argument strings in an array instead of having the OS shell determine the application parameter boundaries. Affected Versions Product Release Series Asterisk Open Source 11.x All releases Asterisk Open Source 13.x All releases Asterisk Open Source 14.x All releases Certified Asterisk 11.6 All releases Certified Asterisk 13.13 All releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk 11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-006-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-006-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-006-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-006-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-006-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27103 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-006.pdf and http://downloads.digium.com/pub/security/AST-2017-006.html Revision History Date Editor Revisions Made July 11, 2017 Richard Mudgett Initial document created Asterisk Project Security Advisory - AST-2017-006 Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:13.17.1~dfsg-1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <[email protected]> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Sep 2017 22:34:09 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config Architecture: source Version: 1:13.17.1~dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <[email protected]> Changed-By: Bernhard Schmidt <[email protected]> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-tests - internal test modules of the Asterisk PBX asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 873907 873908 873909 Changes: asterisk (1:13.17.1~dfsg-1) unstable; urgency=high . * New upstream version 13.17.1, fixing three CVEs - CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) - CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) - CVE-2017-14098 / AST-2017-007 Remote Crash Vulerability in res_pjsip (Closes: #873909) Checksums-Sha1: 585568086378cc058e946cb922a082a2664f2873 4268 asterisk_13.17.1~dfsg-1.dsc adb89838e59308fe05bc60693bf01df6b8cfb2f4 6227588 asterisk_13.17.1~dfsg.orig.tar.xz 4401b3804b6f69ef0686266b9b452e1649baabef 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz 4b26a0714b0c6f46df9910656391e2a00d0faab9 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo Checksums-Sha256: 754e2320c060563da2ae69f5948aaff41abca712d94759fd7f40cf3e3de01144 4268 asterisk_13.17.1~dfsg-1.dsc c508880b2ee165016074d75347aa2df00fc88a730db7dc1a8cf1b895e9e8a3ad 6227588 asterisk_13.17.1~dfsg.orig.tar.xz 9722c7c60709d1ddc26d866d3283213f6797b6f7ab9a180dc51fd7c7219af6ec 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz 05f498e47a90b1fa6f81964062c76511d37d333152620e16e5f42ca60bf8e23c 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo Files: 869d4a0e0654952f2555b89be8d05062 4268 comm optional asterisk_13.17.1~dfsg-1.dsc a1a52404f8938ede9204750c6f5b69db 6227588 comm optional asterisk_13.17.1~dfsg.orig.tar.xz e97d792679034e7a0a29ffb7538a192d 168376 comm optional asterisk_13.17.1~dfsg-1.debian.tar.xz 3c9577153eb8824c2ee7fea8df17bade 27034 comm optional asterisk_13.17.1~dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmrF64RHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJP4/w/+OZb8R2GFu1pkJQ5ZqMrtHx+IZNNM8wTL 6sb3N1b+tAEe9Nb7pARwb100+wyib3S0uIo78kad3VLvXaDGpMjmJVsSptRd0Qy/ M9PNW7vojmXdJTRc5jxbiwhWpKpX1kaq1VIWXhJo/mxVEhaAt15pzbt47heEqyo2 BmzOtGHONyGQG+m9tO4IPIWcpDsgXFc8i5+loROw/WyGxI2k57pJh3jDhPsOMLoN PySDya/Peqi+q60Iy3IHeXDvt39vgTEMUo48fG1PC2Sy6zntN0IIYl/oKmlRZ453 tNQzGYZbxX08fqMMQf7mtvpPcGmYZNdZD5ogthA0uW1MKoQM5h6S+ah/pz52HrDn fSwlwXtRvdYwQkGu8jBv2crerhly0C5pyiK7+CDYoTdRittTH5O1uQP6c5H0hV5C GVKMbG877rbPrI2N1sFXDggM9T1zJ/c73HqC6ecB9DG+jcxdidju9lV4sYJWw9cM b6j9AOwXW6uWZhXZJP+1jxsib0f1acNT0NyHjHASXlbv5lZPVwtpIkg7Ed89fH/k V0SSMrpF2ZA49aUdcff7BcesDqwYcDCJBDaEewzFJYzRleUtMQmImJKXd4f1c5uA O0zCPja7RPRQHpVQOxqUxZfUqDCJR6oWPhLuMJBMsJH3vKHoqnfpDjmxxMR8izEd YN2nioAGtFQ= =5py3 -----END PGP SIGNATURE-----
--- End Message ---
