Your message dated Fri, 02 Jun 2017 13:03:39 +0000 with message-id <[email protected]> and subject line Bug#863906: fixed in asterisk 1:13.14.1~dfsg-2 has caused the Debian Bug report #863906, regarding asterisk: CVE-2017-9358: AST-2017-004: Memory exhaustion on short SCCP packets to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 863906: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863906 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:asterisk Version: 1:13.0.0~dfsg-1 Severity: critical Tags: security Asterisk Project Security Advisory - AST-2017-004 Product Asterisk Summary Memory exhaustion on short SCCP packets Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On April 13, 2017 Reported By Sandro Gauci Posted On Last Updated On April 13, 2017 Advisory Contact George Joseph <gjoseph AT digium DOT com> CVE Name Description A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with “chan_skinny” enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesn’t detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The “partial data” message logging in that tight loop causes Asterisk to exhaust all available memory. Resolution If support for the SCCP protocol is not required, remove or disable the module. If support for SCCP is required, an upgrade to Asterisk will be necessary. Affected Versions Product Release Series Asterisk Open Source 11.x Unaffected Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Certified Asterisk 13.13 All versions Corrected In Product Release Asterisk Open Source 13.15.1, 14.4.1 Certified Asterisk 13.13-cert4 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/.pdf and http://downloads.digium.com/pub/security/.html Revision History Date Editor Revisions Made 13 April 2017 George Joseph Initial report created Asterisk Project Security Advisory - Copyright © 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:13.14.1~dfsg-2 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <[email protected]> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 02 Jun 2017 14:40:15 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config Architecture: source Version: 1:13.14.1~dfsg-2 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <[email protected]> Changed-By: Bernhard Schmidt <[email protected]> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 860902 863906 Changes: asterisk (1:13.14.1~dfsg-2) unstable; urgency=high . [ Tzafrir Cohen ] * CVE-2017-9358 / AST-2017-004: Memory exhaustion on short SCCP packets (Closes: #863906) * Documentation updates in debian/: - d/p/test_framework.patch: no longer an upstream issue - d/asterisk-config-custom: - fix typo: buildbuildpackage (Closes: #860902) - add comment that dpkg-buildpackage comes from dpkg-dev Checksums-Sha1: 2cb97e35a21005c46aadf74f082024b901a2e09f 4105 asterisk_13.14.1~dfsg-2.dsc 705c46a021014102080d47e8885258d86bb178dd 130836 asterisk_13.14.1~dfsg-2.debian.tar.xz abf15993b8a96ea804156ef8baaca18ec397e489 25969 asterisk_13.14.1~dfsg-2_amd64.buildinfo Checksums-Sha256: dfb49baab73fa13decf7512e739c41ef10e140468f0d321d18d3db13db14e082 4105 asterisk_13.14.1~dfsg-2.dsc fe8b3a93852c38c585081e6e8839c569a3f001d49b49b9cdb725a4de5aa22472 130836 asterisk_13.14.1~dfsg-2.debian.tar.xz 87c4b0b85e7d991cb83f9b037d4d31600e4d6b942f4d225fafea6d8008c902b2 25969 asterisk_13.14.1~dfsg-2_amd64.buildinfo Files: 3c3f8a701749e1cda53af49f9dbc1e2a 4105 comm optional asterisk_13.14.1~dfsg-2.dsc e2e06a4a5dcbca5a1ea8878f882587c4 130836 comm optional asterisk_13.14.1~dfsg-2.debian.tar.xz c94c6a2523c6ef729ac033cb9aa63c3c 25969 comm optional asterisk_13.14.1~dfsg-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlkxXycRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJPZFQ//TQqt4j4G1ja57cACbZg7tA58OwNf8A9Q xc1rhabruG9TwNfeRuuWKpReow2Tg4AZpIqZZ/mUn3ZWKUr/lcYwCyH+HQuYFzMw hJuIB3n0/R5k5qtXjpFvNLOT3URsZiw5EjPR9UPRIh34pkD1QdNxQq3+q1wQ2baJ y4ZcOTtjmEYEP1nXJt53r+qKx73Fmp+YQqsgDzROiwZPrwJN/uM3c9j6Z6aWPQ/c lRyeAXcieCiIdF1VOyMP/m3UAEPRmbbgFQKlIgZWk3rF6DaWB3BOmwX7iqZdq1sL 7iFB03RkEmmD7rTu1dps3y2Rec/+g4433kwEPHNvan47+l+LwN5r83z4YfMVT9lv dj0clNUY4OoJeJgz6KnNO5+JJxlS9kPfvhXLTZtO7rLe5VMYtjchuPMR8j/lgXY3 9w/KzUQBY8onC4qIW7mDzWoaHFaB70xh6tN/lvH9aPiV3aLBfnnQI2QVREEcuBBx +B8liF818XYKuwZ5CTmZ78HYXsv0WHg1euz/f4+KdMDnvZXtDh11w6U9wqFtV+jI 7RdCYR7dfLi1dJQWCmPoJI6rpDKAe8ZRgdKIP1RvjNtUS3i0l994WHOvbMm7megx wlLl+L/HH5LOzyU/o3br9fRdmocACXrFMUtRfct4Wz6IVQDFHgB4bJ/x3phv918J VdMnTSaWkXQ= =njyn -----END PGP SIGNATURE-----
--- End Message ---
