Package: asterisk Version: 1:16.28.0~dfsg-0+deb11u4 Severity: important
Hello, dear Asterisk maintainers. This is basically a copy of: <https://github.com/asterisk/asterisk/issues/503> The rtp->ice\_active\_remote\_candidates container used to validate the source of incoming DTLS packets doesn't contain peer reflexive candidates discovered during negotiation. This is causing the check to fail where it shouldn't. ``` \[2024-03-29 21:15:09.908\] WARNING\[1866370\]\[C-00000005\]: res\_rtp\_asterisk.c:3189 \_\_rtp\_recvfrom: 1711746909.20: DTLS packet from 176.98.71.191:51192 dropped. Source not in ICE active candidate list. ``` Bug was introduced as fix for CVE-2023-49786, I see it from the diff in https://release.debian.org/proposed-updates/bullseye\_diffs/asterisk\_16.28.0~dfsg-0+deb11u4.debdiff Fix for the bug was introduced in 20.5.2, in unstable repo, but since this is basically a regression, I believe it should be fixed in 16.28.0 too. So, what I see as a proper solution is cherry-picking: <https://github.com/gtjoseph/asterisk/commit/041122c85ddf8609ce3ccb7920de4b3f3cd1ac6e> ``` $ uname -a Linux prod-asterisk 5.10.0-28-cloud-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86\_64 GNU/Linux ``` Regards, **Oleksandr Kozmenko** **Server Administrator**
