Bug#847666: asterisk: AST-2016-008: Crash on SDP offer or answer from endpoint using Opus

Tzafrir Cohen tzafrir.cohen at xorcom.com
Mon Dec 12 10:34:06 UTC 2016


On Sat, Dec 10, 2016 at 03:52:26PM +0100, Salvatore Bonaccorso wrote:
> Source: asterisk
> Version: 1:13.12.2~dfsg-1
> Severity: grave
> Tags: security upstream patch
> Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-26579
> 
> Hi
> 
> AST-2016-008 was announced at
> 
> http://downloads.asterisk.org/pub/security/AST-2016-008.html
> 
> referencing patches as well for the 13.x release series.
> 
> https://issues.asterisk.org/jira/browse/ASTERISK-26579
> 
> No CVE is assigned yet for this issue.

I have not yet tested our version. Note that we have our own changes in
exactly the same area. Upstream later added two new bug fixes to the
2c031b6 and fa52ecb. Of those two fa52ecb turned out to be security
issue.

At first glance I believe our code is not volnurable to this one. But I
haven't tested it yet.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com



More information about the Pkg-voip-maintainers mailing list