Your message dated Fri, 07 Jun 2024 12:49:35 +0000
with message-id <e1sfz2f-001xzk...@fasolo.debian.org>
and subject line Bug#1059303: fixed in asterisk 1:20.8.1~dfsg+~cs6.14.40431414-1
has caused the Debian Bug report #1059303,
regarding asterisk: CVE-2023-37457 CVE-2023-38703
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059303
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: asterisk
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for asterisk.
CVE-2023-37457[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior,
| and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the
| 'update' functionality of the PJSIP_HEADER dialplan function can
| exceed the available buffer space for storing the new value of a
| header. By doing so this can overwrite memory or cause a crash. This
| is not externally exploitable, unless dialplan is explicitly written
| to update a header based on data from an outside source. If the
| 'update' functionality is not used the vulnerability does not occur.
| A patch is available at commit
| a1ca0268254374b515fa5992f01340f7717113fa.
https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh
https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa
CVE-2023-38703[1]:
| PJSIP is a free and open source multimedia communication library
| written in C with high level API in C, C++, Java, C#, and Python
| languages. SRTP is a higher level media transport which is stacked
| upon a lower level media transport such as UDP and ICE. Currently a
| higher level transport is not synchronized with its lower level
| transport that may introduce use-after-free issue. This
| vulnerability affects applications that have SRTP capability
| (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other
| than UDP. This vulnerability’s impact may range from unexpected
| application termination to control flow hijack/memory corruption.
| The patch is available as a commit in the master branch.
https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d
(2.14)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37457
https://www.cve.org/CVERecord?id=CVE-2023-37457
[1] https://security-tracker.debian.org/tracker/CVE-2023-38703
https://www.cve.org/CVERecord?id=CVE-2023-38703
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:20.8.1~dfsg+~cs6.14.40431414-1
Done: Jonas Smedegaard <d...@jones.dk>
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Jun 2024 14:10:19 +0200
Source: asterisk
Architecture: source
Version: 1:20.8.1~dfsg+~cs6.14.40431414-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Closes: 1059303 1068296 1072739
Changes:
asterisk (1:20.8.1~dfsg+~cs6.14.40431414-1) unstable; urgency=medium
.
[ upstream ]
* new release
+ use PJProject 2.14.1,
which fixes Use-after-free in SRTP media transport;
CVE-2023-37457 CVE-2023-38703;
closes: bug#1059303, thanks to Moritz Mühlenhoff
+ fix regression issues with DTLS client check;
closes: bug#1068296, thanks to Oleksandr Kozmenko
.
[ Jonas Smedegaard ]
* update watch file:
+ track only LTS releases
+ bump to track pjproject 2.14.1
* unfuzz patches
* update copyright info: update coverage
* declare compliance with Debian Policy 4.7.0
* create and restrict access to cache dir;
closes: bug#1072739, thanks to Bastian Triller
* fix rotate main logfiles,
as logfiles use suffix .log since Asterisk 19;
thanks to James Bottomley (see bug#1024822)
Checksums-Sha1:
5e5a50caacffeb7f65a83de0344be4ea15a72f26 5333
asterisk_20.8.1~dfsg+~cs6.14.40431414-1.dsc
450b21cbdd4f92f333b02d202e445b443acb0b2a 11268
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xamr.tar.xz
96bf3ae2008bc5a46c9f894651110db771dc91a3 21936
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xmp3.tar.xz
efd36da4be8883797c8ccb0ca1a41b933c1f19c9 22548
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xopus.tar.xz
cb340d770d39567f887f0a81e96d35e43360b5ed 6343840
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xpjproject.tar.xz
83360dd7f73c470287fde6f5fadcc135c37fdb3a 7351300
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig.tar.xz
6d80e3a53038c9e15e123724042c02f6f780b2ce 136012
asterisk_20.8.1~dfsg+~cs6.14.40431414-1.debian.tar.xz
165e3783d11e2d355b9edce5472fc3c32c6e3d8b 27576
asterisk_20.8.1~dfsg+~cs6.14.40431414-1_amd64.buildinfo
Checksums-Sha256:
153ed3376cb958b763508b9cbe0ce3e924b7d9c48628185967e37be883339715 5333
asterisk_20.8.1~dfsg+~cs6.14.40431414-1.dsc
ba0e753d9e008ad4d55c112dd0dd628fa3ce57e85f7ca5ff117fdc47e90021d8 11268
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xamr.tar.xz
7392b3cc01080322460f028363dba477df3ac25fe9dc25d3aaae20a2d6177e95 21936
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xmp3.tar.xz
1dc2659ade0eb9207a5d22df188690d1528e74374f1e0dbef4a74d824c90c9cf 22548
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xopus.tar.xz
faa3dcf960be6d0b96c21d46d2135e4cf047802bc39004b042c51fd6d41070e1 6343840
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xpjproject.tar.xz
9dfd77447f1e741dd428d4c49560a470778ed744495994b55bf8ea5090abde27 7351300
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig.tar.xz
ad286f15378930931721200b5ff16ae3467a5b200f64b37ac62e95ff7a74aad4 136012
asterisk_20.8.1~dfsg+~cs6.14.40431414-1.debian.tar.xz
b0e6936635fba3312ac542bd8a75822223a8caf71a87f1c6c2a972be16c3af3d 27576
asterisk_20.8.1~dfsg+~cs6.14.40431414-1_amd64.buildinfo
Files:
34caf7bd19b22fd658dc11269c97beaf 5333 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414-1.dsc
2f288da7d163b555955e1351203cb972 11268 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xamr.tar.xz
e36d4f45ad47523be5f21a88e8b6c0d8 21936 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xmp3.tar.xz
a28346e11689859feea371218e977f53 22548 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xopus.tar.xz
d97bc16dd8abacb0bcf4b816da13573e 6343840 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig-Xpjproject.tar.xz
b4ecd3792eab910d1e508c2f7baaeb50 7351300 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414.orig.tar.xz
9e368480946b9ea7b95eebbafbfe4a9b 136012 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414-1.debian.tar.xz
dff32842a5a98a5e89c919841d58bf51 27576 comm optional
asterisk_20.8.1~dfsg+~cs6.14.40431414-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmZi/fAACgkQLHwxRsGg
ASGv4g//SAMNFdSEJnQVMxgcq/lk9OmmDW6E6v1SMGupOoBB4Nfc58X0AJhygYFk
klNg5m9itYNtrrIYEBn+iU8Mk04z/M/N+8HZXH7PU4PzXEvyE3Io+QPXSshgwvTs
t0MtchCBvWHZk0VR2RJTxcZwcDbrmUHF2tSAzbYQAy2neAZXEM88k05tisFacOdx
h6NrWhx+IMkoxxWoFxVt/8mR0UZ9q7nlMCb6NdyH1tvjN0+3s9g4MSFwMQsVlvgI
G6G6+DJacEC2DF8gaeH3dmYyHDBA9wVXThnmRViocMBQp76LhXkciyFXXpbAxOz8
2RtrpYDt2DwrVxeHEHXsAFtl6NEbBkHVHDnpVHNq3V+U2/ZbYV6ve1eGFplttiWj
21pJ5klx+i/Oc/JYLXSTjB6JtvMZk4XbfqF1EHilLXFeNR/zzfadtJEuVZDnBpJJ
xNbvxo2hmgFi1hQqYRNsDjVOkP6Mr3c4Y1QZHiWy7xur93zpatcJ9YtmaYEp1g27
Wf8GWwUi6Ps27DV09HZW2zaNb7m5s0TB04ifbegxbc0D0FOi/gKYxx7HhXT4laYg
yAOVKbZB2DyQHgX/UX8YnqKSpauTt071go9Ppzhd64oS44t/vKgxbEk4qiTgfxH1
HSdkj2BpUarL4t7sQHlejKQ4DpNGA3d1apmg3lk92+gzDW1j+/0=
=RzJZ
-----END PGP SIGNATURE-----
pgpL6vYPhhdNV.pgp
Description: PGP signature
--- End Message ---
