Your message dated Mon, 23 Nov 2020 13:03:30 +0000
with message-id <[email protected]>
and subject line Bug#974712: fixed in asterisk 1:16.15.0~dfsg-1
has caused the Debian Bug report #974712,
regarding asterisk: CVE-2020-28327
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
974712: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974712
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: asterisk
Version: 1:16.12.0~dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-29057
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for asterisk.
CVE-2020-28327[0]:
| A res_pjsip_session crash was discovered in Asterisk Open Source 13.x
| before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x
| before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon
| receiving a new SIP Invite, Asterisk did not return the created dialog
| locked or referenced. This caused a gap between the creation of the
| dialog object, and its next use by the thread that created it.
| Depending on some off-nominal circumstances and timing, it was
| possible for another thread to free said dialog in this gap. Asterisk
| could then crash when the dialog object, or any of its dependent
| objects, were dereferenced or accessed next by the initial-creation
| thread. Note, however, that this crash can only occur when using a
| connection-oriented protocol (e.g., TCP or TLS, but not UDP) for SIP
| transport. Also, the remote client must be authenticated, or Asterisk
| must be configured for anonymous calling.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-28327
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28327
[1] https://issues.asterisk.org/jira/browse/ASTERISK-29057
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:16.15.0~dfsg-1
Done: Bernhard Schmidt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Nov 2020 13:19:33 +0100
Source: asterisk
Architecture: source
Version: 1:16.15.0~dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 974712 974713
Changes:
asterisk (1:16.15.0~dfsg-1) unstable; urgency=medium
.
* New upstream version 16.15.0~dfsg. fixes to CVEs
- CVE-2020-28327 / AST-2020-001 (Closes: #974712)
Remote crash in res_pjsip_session
- CVE-2020-28242 / AST-2020-002 (Closes: #974713)
Outbound INVITE loop on challenge with different nonce
Checksums-Sha1:
caa3c7eb55b2a155c29e6a17d93b29734b61e9ea 4201 asterisk_16.15.0~dfsg-1.dsc
0b5e6a6ecb5ac0982b19ce40fa43dc213af3640f 7055260
asterisk_16.15.0~dfsg.orig.tar.xz
80571a38653c22eeed04375fe2ec87a2518ccdf0 5948824
asterisk_16.15.0~dfsg-1.debian.tar.xz
21a4003384cc2350b5ab3966bd1fedb760e98769 27594
asterisk_16.15.0~dfsg-1_amd64.buildinfo
Checksums-Sha256:
5381cf6d4291b2411d42cdd3d9fdf1d297e5d4c3862edb51cd0d2591b5c0120e 4201
asterisk_16.15.0~dfsg-1.dsc
5477053d914b7391c761d3b09c5cde6e79997fb2092258b13fdd30a5ac670f1f 7055260
asterisk_16.15.0~dfsg.orig.tar.xz
35f8ca546a746aceeaa5b015236d546feb2116ce6c7a8428ba83d23e356a8fbe 5948824
asterisk_16.15.0~dfsg-1.debian.tar.xz
a69737a07b3aa84694792fff74ae5a711995b5ab94cbd31d7ee2dc25e24da218 27594
asterisk_16.15.0~dfsg-1_amd64.buildinfo
Files:
f4eb8479c11a52494a5ae1ae237860a6 4201 comm optional asterisk_16.15.0~dfsg-1.dsc
f993a66d6161e506a4a6debfab64113f 7055260 comm optional
asterisk_16.15.0~dfsg.orig.tar.xz
fe2450936480b356e920763c0abaa0fb 5948824 comm optional
asterisk_16.15.0~dfsg-1.debian.tar.xz
ff0267f74f37b2f25b8d01cc166c0582 27594 comm optional
asterisk_16.15.0~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAl+7r44RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJN0yBAAiOR1qsvtiRh1S1J7qDouW0ImOmo0L8rK
9PDCYsBKtX2B8TEm89RG4M3b/OgTINkJR17VTT4mTUfJCMYhtFWMPdG7QlvaSooP
D68YutPq3jNuUuCJp+B/C7EVppyusCePeTC86Ukdds000MIMVIHCRUVruLFijxHx
Qjt4+ulLM5j/cNGI36Xq71rupS41Cq9+Xm6NNmOPcXWQRwpJuKXMxngLpZ0Nukl1
qZeFQV47oZLNfsHBWq2lPp0Oj9LSbyJb5cgSm6kZzIiHFQ/iIVdoLGRze51O7Ri2
ADPQTbcOanRIuOQnkuY6jlnH3iNJVcN3VZMoZEISPNUeEUza0/mxgv7sXPjbS1qC
dnKNeTL43ed1E7rOGthXfZrAu8Ej+TZ9+i8UZPeNbG89CnWFzsMexxUfrkqbvRGo
da02SKIrT8HLpkm5Wj0KSXF1o+feSx3cvSmXyeBzTLh8AFB8qAWH7kcP4VtNyVrH
dV2zFzm+YCBkC/8IYy0v4ZogHXncwEUFHCriDX9JBjD/zGuUX00jrucsH2P26R6j
ZDobloRFuPtYa3RFuUxzru/egfKTyP5itmCEpKYGMM6pb2TuRWFOiPWVpLy8FHQy
IHnQaoY3Nzg/4FVoA5y5RCFVM1nCEr4fT8XAJvF9NRoKW2XM+2nO2E46swbxsNAp
kV0NkPwwSY8=
=AtT1
-----END PGP SIGNATURE-----
--- End Message ---
