<p>Package: asterisk<br />
Version: 1:16.28.0~dfsg-0+deb11u4<br />
Severity: important</p>

<p>Hello, dear Asterisk maintainers.</p>

<p>This is basically a copy of:<br />
<a href="https://mandrillapp.com/track/click/31141827/github.com?p=eyJzIjoiOWVtdlc4TWFGaDdNck05THlwaXljN0VXek5NIiwidiI6MSwicCI6IntcInVcIjozMTE0MTgyNyxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvYXN0ZXJpc2tcXFwvYXN0ZXJpc2tcXFwvaXNzdWVzXFxcLzUwM1wiLFwiaWRcIjpcIjMxYzUwNmYzYzlhNzRjZTM4MmI1ZTBmMzQzODhmNjlhXCIsXCJ1cmxfaWRzXCI6W1wiZDc1Njc5NjI1NzFjNzI3YmIwZTEzZjZkYTk5ZDE0OWU5YTFhMjUyN1wiXX0ifQ" rel="noreferrer" target="_blank">https://github.com/asterisk/asterisk/issues/503</a></p>

<p><br />
The rtp->ice_active_remote_candidates container used to validate the source of incoming DTLS packets doesn't contain peer reflexive candidates discovered during negotiation. This is causing the check to fail where it shouldn't.</p>

<p>```<br />
[2024-03-29 21:15:09.908] WARNING[1866370][C-00000005]: res_rtp_asterisk.c:3189 __rtp_recvfrom: 1711746909.20: DTLS packet from 176.98.71.191:51192 dropped. Source not in ICE active candidate list.<br />
```<br />
Bug was introduced as fix for CVE-2023-49786, I see it from the diff in <br />
https://release.debian.org/proposed-updates/bullseye_diffs/asterisk_16.28.0~dfsg-0+deb11u4.debdiff</p>

<p>Fix for the bug was introduced in 20.5.2, in unstable repo, but since this is basically <br />
a regression, I believe it should be fixed in 16.28.0 too. So, what I see as a proper solution is cherry-picking:</p>

<p><a href="https://mandrillapp.com/track/click/31141827/github.com?p=eyJzIjoiTm0yZS1SZVo0VE5wOEVJUXp3cUtKenFLSmE0IiwidiI6MSwicCI6IntcInVcIjozMTE0MTgyNyxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvZ3Rqb3NlcGhcXFwvYXN0ZXJpc2tcXFwvY29tbWl0XFxcLzA0MTEyMmM4NWRkZjg2MDljZTNjY2I3OTIwZGU0YjNmM2NkMWFjNmVcIixcImlkXCI6XCIzMWM1MDZmM2M5YTc0Y2UzODJiNWUwZjM0Mzg4ZjY5YVwiLFwidXJsX2lkc1wiOltcIjBlYzc3ZDIwNGY3OTMyMDg5YjlmOTE4NzcyNmZhMjQzNGM0YmU0ZWVcIl19In0" rel="noreferrer" target="_blank">https://github.com/gtjoseph/asterisk/commit/041122c85ddf8609ce3ccb7920de4b3f3cd1ac6e</a></p>

<p>```</p>

<p>$ uname -a<br />
Linux prod-asterisk 5.10.0-28-cloud-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 GNU/Linux</p>

<p>```</p>

<p>Regards, </p>

<p><strong>Oleksandr Kozmenko</strong></p>

<p><strong>Server Administrator</strong></p>

<img src="https://mandrillapp.com/track/open.php?u=31141827&id=31c506f3c9a74ce382b5e0f34388f69a" height="1" width="1" alt="">