[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-39244,CVE-2022-39269, Asterisk: Bullseye is affected

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7c739f6b by Markus Koschany at 2023-02-22T22:53:14+01:00
CVE-2022-39244,CVE-2022-39269, Asterisk: Bullseye is affected

Remove not-affected tag because the vulnerable code is in PJSIP which we ship
in the debian directory (tar.bz2 file)

- - - - -
f4705b58 by Markus Koschany at 2023-02-22T23:20:31+01:00
Reserve DLA-3335-1 for asterisk

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -31916,14 +31916,12 @@ CVE-2022-42707 (In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 befo
 CVE-2022-42706 (An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 t ...)
 	- asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1
 	[bullseye] - asterisk <no-dsa> (Minor issue)
-	[buster] - asterisk <no-dsa> (Minor issue)
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30176
 	NOTE: https://downloads.asterisk.org/pub/security/AST-2022-009.html
 	NOTE: https://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=commit;h=81f10e847efdbe8ec264062ee234e1098c29b3f6
 CVE-2022-42705 (A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.1 ...)
 	- asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1
 	[bullseye] - asterisk <no-dsa> (Minor issue)
-	[buster] - asterisk <no-dsa> (Minor issue)
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30244
 	NOTE: https://downloads.asterisk.org/pub/security/AST-2022-008.html
 	NOTE: https://git.asterisk.org/gitweb/?p=asterisk/asterisk.git;a=commit;h=7684c9e907fb85f5c58b025d9e385ad2600f12a2
@@ -40591,7 +40589,6 @@ CVE-2022-39270 (DiscoTOC is a Discourse theme component that generates a table o
 	NOT-FOR-US: DiscoTOC Discourse theme
 CVE-2022-39269 (PJSIP is a free and open source multimedia communication library writt ...)
 	- asterisk <unfixed>
-	[bullseye] - asterisk <not-affected> (Vulnerable code not present)
 	- pjproject <removed>
 	- ring 20230206.0~ds1-1
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg
@@ -40688,7 +40685,6 @@ CVE-2022-39245 (Mist is the command-line interface for the makedeb Package Repos
 	NOT-FOR-US: Makedeb Mist
 CVE-2022-39244 (PJSIP is a free and open source multimedia communication library writt ...)
 	- asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1
-	[bullseye] - asterisk <not-affected> (Vulnerable code not present)
 	- pjproject <removed>
 	- ring 20230206.0~ds1-1
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-fq45-m3f7-3mhj
@@ -46267,7 +46263,6 @@ CVE-2022-37326
 CVE-2022-37325 (In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, an ...)
 	- asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1
 	[bullseye] - asterisk <no-dsa> (Minor issue)
-	[buster] - asterisk <no-dsa> (Minor issue)
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-30103
 	NOTE: https://downloads.asterisk.org/pub/security/AST-2022-007.html
 CVE-2022-37324


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[22 Feb 2023] DLA-3335-1 asterisk - security update
+	{CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706}
+	[buster] - asterisk 1:16.28.0~dfsg-0+deb10u2
 [22 Feb 2023] DLA-3334-1 sofia-sip - security update
 	{CVE-2022-47516}
 	[buster] - sofia-sip 1.12.11+20110422.1-2.1+deb10u3


=====================================
data/dla-needed.txt
=====================================
@@ -24,10 +24,6 @@ apache2 (Lee Garrett)
   NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!.
   NOTE: 20230222: CVE-2019-17567 requires 1000+ LoC patch, too intrusive (lee)
 --
-asterisk (Markus Koschany)
-  NOTE: 20221211: Programming language: C.
-  NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git
---
 binwalk (Adrian Bunk)
   NOTE: 20230222: Programming language: Python.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab4c0f2c1521d9802ffb2555120b3ca05076cc00...f4705b5844dcb08d08a31a7dfbc2d5dca138b876

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ab4c0f2c1521d9802ffb2555120b3ca05076cc00...f4705b5844dcb08d08a31a7dfbc2d5dca138b876
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230222/aeae0918/attachment-0001.htm>