Your message dated Sat, 07 Sep 2024 21:04:48 +0000 with message-id <e1sn2bw-005z6c...@fasolo.debian.org> and subject line Bug#1078574: fixed in asterisk 1:20.9.3~dfsg+~cs6.14.60671435-1 has caused the Debian Bug report #1078574, regarding asterisk: CVE-2024-42365 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1078574: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078574 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: asterisk Version: 1:20.8.1~dfsg+~cs6.14.40431414-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for asterisk. CVE-2024-42365[0]: | Asterisk is an open source private branch exchange (PBX) and | telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and | 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, | an AMI user with `write=originate` may change all configuration | files in the `/etc/asterisk/` directory. This occurs because they | are able to curl remote files and write them to disk, but are also | able to append to existing files using the `FILE` function inside | the `SET` application. This issue may result in privilege | escalation, remote code execution and/or blind server-side request | forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, | and 21.4.2 and certified-asterisk versions 18.9-cert11 and | 20.7-cert2 contain a fix for this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-42365 https://www.cve.org/CVERecord?id=CVE-2024-42365 [1] https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:20.9.3~dfsg+~cs6.14.60671435-1 Done: Jonas Smedegaard <d...@jones.dk> We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1078...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <d...@jones.dk> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 07 Sep 2024 22:14:21 +0200 Source: asterisk Architecture: source Version: 1:20.9.3~dfsg+~cs6.14.60671435-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Jonas Smedegaard <d...@jones.dk> Closes: 1078574 Changes: asterisk (1:20.9.3~dfsg+~cs6.14.60671435-1) unstable; urgency=high . [ upstream ] * new release(s) + add entries to Originate blacklist; CVE-2024-42365; closes: bug#1078574, thanks to Salvatore Bonaccorso + test for NULL ub_result in unbound_resolver_callback; CVE-2024-42491 . [ Jonas Smedegaard ] * fix minor privilege escalation; thanks to Niels Galjaard * update watch file: track mp3 component from git clone * unfuzz patch 2012 * set urgency=high due to security-related bugfixes Checksums-Sha1: 3fe5e9180f43555bec8ca7c5cae590a689975617 5350 asterisk_20.9.3~dfsg+~cs6.14.60671435-1.dsc 450b21cbdd4f92f333b02d202e445b443acb0b2a 11268 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xamr.tar.xz 3d0a0b6cd89a39935fd096e2ef6e79ba8302c8eb 22024 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xmp3.tar.xz efd36da4be8883797c8ccb0ca1a41b933c1f19c9 22548 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xopus.tar.xz cb340d770d39567f887f0a81e96d35e43360b5ed 6343840 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xpjproject.tar.xz 9c15c81d8106a5f95d1463034b155ba67c6cdccc 7362692 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig.tar.xz 45cada41712eec20574c000e06153ec8fe958ee4 136192 asterisk_20.9.3~dfsg+~cs6.14.60671435-1.debian.tar.xz ad1772535c2e72ce90d03701f042286d02c89f1a 25080 asterisk_20.9.3~dfsg+~cs6.14.60671435-1_amd64.buildinfo Checksums-Sha256: 768fc371867d258cbf1f2eb2978d09795ae6fb9777d6dae0b6231f0faf674756 5350 asterisk_20.9.3~dfsg+~cs6.14.60671435-1.dsc ba0e753d9e008ad4d55c112dd0dd628fa3ce57e85f7ca5ff117fdc47e90021d8 11268 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xamr.tar.xz a5316a4cf442be734e050d6fcd28ee23d7057d0cc546413aa75872b84e979f21 22024 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xmp3.tar.xz 1dc2659ade0eb9207a5d22df188690d1528e74374f1e0dbef4a74d824c90c9cf 22548 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xopus.tar.xz faa3dcf960be6d0b96c21d46d2135e4cf047802bc39004b042c51fd6d41070e1 6343840 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xpjproject.tar.xz 800f6352418d13be892114d7e111034952e6c45f7d5ef31c1fc3738357fbccb5 7362692 asterisk_20.9.3~dfsg+~cs6.14.60671435.orig.tar.xz 0049e3dc4ebe06b7e6cfba7d04d5b7b0250899b00fbee91d115acb8ae5dd0fa1 136192 asterisk_20.9.3~dfsg+~cs6.14.60671435-1.debian.tar.xz d43ec3f4c9edfe3a8cbe9e68377217dcc0dbfd859199b8056ad9970eb0831854 25080 asterisk_20.9.3~dfsg+~cs6.14.60671435-1_amd64.buildinfo Files: 90b2bd72589620b16c8891f2fa4268ae 5350 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435-1.dsc 2f288da7d163b555955e1351203cb972 11268 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xamr.tar.xz 5bdeadbbd8e5b6cc2f65a846e6859b7e 22024 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xmp3.tar.xz a28346e11689859feea371218e977f53 22548 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xopus.tar.xz d97bc16dd8abacb0bcf4b816da13573e 6343840 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435.orig-Xpjproject.tar.xz 96d1fb65177e1dcce29eea9d348736bf 7362692 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435.orig.tar.xz 7aa37871dccc0244db26197b383ed076 136192 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435-1.debian.tar.xz aa39013d223d893886cd1a9680e3dad9 25080 comm optional asterisk_20.9.3~dfsg+~cs6.14.60671435-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJABAEBCgAqFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmbcuioMHGRyQGpvbmVz LmRrAAoJECx8MUbBoAEhiv8P/1b1IuZyMV+crokpTsB/AkuUHZYkVO43vaaCjYb8 Qx8q6oGNjobpBIkyucfNM+0KrXv79noFqvFRC87dnSmQuy196TtZH8XKA/6ZmZPT Uvg4gWB+OPgWcPqfBlkfbdwha942t520muRl5qIzHPrEmunW0Xv7yCwLRRbacpWt LxIiv1aEXjeOd4ZE31jLpFbH17DDLndsL7U0zeRM0rnkmXdpORnirDASKZzPLp2W wS0pPyD9dp07vwyvldgi1xSdmOxZLOsdvZnh8/meXqdA+YPCMyU801pNuDcHMfa4 vUDe5tk/rjhfBKwWe2lEU+AycgOIYWQfuhbT4Qh49q6ZBHzsGUrUaHsVwRQRacX1 4J17jpgv9XrVX66yN3pCEoofLCzaYg+GFf6JL9Z34syvJ4YJdbILObISWRHSCOr6 dQiqqWIvJEjlM9NjX6WYO0ngv08RYHDiuyjwaKAKNf8zsY9kwP4HhLoa0UFXzv49 RjQlYvVEMFlzdJ2G62oiJSVjoUOYd0xQ8+CFS8acDjwaWYyXA3f7E7eJ8BlSQI+m S/GArxC1/IQBvGbsRUXtPZsdUU2U2kBoz/CzFu/zWK2VttfHRHehnJaCyUslx2o3 ODfXAx+HNaTg+7+Hr7oJvc5h8MtLeiM8wRA2SvJfiyNFjineWexARahRfxCJr5wb 4bBA =LP/8 -----END PGP SIGNATURE-----pgpNg45wtwQDu.pgp
Description: PGP signature
--- End Message ---