Bug#891227: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request
Tzafrir Cohen
tzafrir at cohens.org.il
Sat Feb 24 06:38:41 UTC 2018
Hi,
On Fri, Feb 23, 2018 at 04:04:52PM +0100, Salvatore Bonaccorso wrote:
> Source: asterisk
> Version: 1:13.18.5~dfsg-1
> Severity: grave
> Tags: patch security upstream
> [0] https://security-tracker.debian.org/tracker/CVE-2018-7284
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
> [1] http://downloads.asterisk.org/pub/security/AST-2018-004.html
>
> Please adjust the affected versions in the BTS as needed.
I'm still looking into this. For the record, there were six security
advisories reposrted by the Asterisk project for the recent release:
- AST-2018-001 CVE-2018-7285: (Does not apply)
- AST-2018-002: Crash when given an invalid SDP media format description
- AST-2018-003: Crash with an invalid SDP fmtp attribute
- AST-2018-004 CVE-2018-7284: Crash when receiving SUBSCRIBE request
(Closes: #891227)
- AST-2018-005 CVE-2018-7286: Crash when large numbers of TCP connections
are closed suddenly (Closes: #891227)
- AST-2018-006 CVE-2018-7287: WebSocket frames with 0 sized payload causes
DoS
For 004 (this one) and 005 there are bugs. 001 does not apply to the
Debian package. I'm still looking at how those affect stable and
oldstable.
--
Tzafrir Cohen | tzafrir at jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir at cohens.org.il | | best
tzafrir at debian.org | | friend
More information about the Pkg-voip-maintainers
mailing list