Bug#885072: asterisk: CVE-2017-17850: Crash in PJSIP resource when missing a contact header
Bernhard Schmidt
berni at birkenwald.de
Wed Dec 27 21:57:31 UTC 2017
Control: found -1 1:13.17.0~dfsg-1
Hi,
> CVE-2017-17850[0]:
> | An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and
> | older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP
> | messages create a dialog in Asterisk. Those SIP messages must contain a
> | contact header. For those messages, if the header was not present and
> | the PJSIP channel driver was used, Asterisk would crash. The severity
> | of this vulnerability is somewhat mitigated if authentication is
> | enabled. If authentication is enabled, a user would have to first be
> | authorized before reaching the crash point.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-17850
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17850
> [1] https://issues.asterisk.org/jira/browse/ASTERISK-27480
> [2] http://downloads.asterisk.org/pub/security/AST-2017-014.html
>
> Please adjust the affected versions in the BTS as needed.
Tzafrir has checked the code, part of it was introduced in 13.15.0 and
part in 13.18.0. So 1:13.17.0~dfsg-1 was the first Debian release
including the vulnerability.
Bernhard
More information about the Pkg-voip-maintainers
mailing list