Bug#885072: asterisk: CVE-2017-17850: Crash in PJSIP resource when missing a contact header

Bernhard Schmidt berni at birkenwald.de
Wed Dec 27 21:57:31 UTC 2017


Control: found -1 1:13.17.0~dfsg-1

Hi,

> CVE-2017-17850[0]:
> | An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and
> | older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP
> | messages create a dialog in Asterisk. Those SIP messages must contain a
> | contact header. For those messages, if the header was not present and
> | the PJSIP channel driver was used, Asterisk would crash. The severity
> | of this vulnerability is somewhat mitigated if authentication is
> | enabled. If authentication is enabled, a user would have to first be
> | authorized before reaching the crash point.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-17850
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17850
> [1] https://issues.asterisk.org/jira/browse/ASTERISK-27480
> [2] http://downloads.asterisk.org/pub/security/AST-2017-014.html
> 
> Please adjust the affected versions in the BTS as needed.

Tzafrir has checked the code, part of it was introduced in 13.15.0 and
part in 13.18.0. So 1:13.17.0~dfsg-1 was the first Debian release
including the vulnerability.

Bernhard



More information about the Pkg-voip-maintainers mailing list