Bug#891227: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request
Tzafrir Cohen
tzafrir at cohens.org.il
Sat Feb 24 11:39:38 UTC 2018
On Sat, Feb 24, 2018 at 07:38:41AM +0100, Tzafrir Cohen wrote:
> Hi,
>
> On Fri, Feb 23, 2018 at 04:04:52PM +0100, Salvatore Bonaccorso wrote:
> > Source: asterisk
> > Version: 1:13.18.5~dfsg-1
> > Severity: grave
> > Tags: patch security upstream
>
>
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-7284
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
> > [1] http://downloads.asterisk.org/pub/security/AST-2018-004.html
> >
> > Please adjust the affected versions in the BTS as needed.
>
> I'm still looking into this. For the record, there were six security
> advisories reposrted by the Asterisk project for the recent release:
>
> - AST-2018-001 CVE-2018-7285: (Does not apply)
> - AST-2018-002: Crash when given an invalid SDP media format description
> - AST-2018-003: Crash with an invalid SDP fmtp attribute
Those two are fixed in pjproject (specifically in 2.7.2). And probably
need to be backported to Stretch as well.
> - AST-2018-004 CVE-2018-7284: Crash when receiving SUBSCRIBE request
> (Closes: #891227)
> - AST-2018-005 CVE-2018-7286: Crash when large numbers of TCP connections
> are closed suddenly (Closes: #891227)
Those two only apply to pjsip-related code. Thus they don't apply to
oldstable. AST-004 patch seems to apply as-is to Stretch. AST-005 patch
may require more work.
> - AST-2018-006 CVE-2018-7287: WebSocket frames with 0 sized payload causes
> DoS
Only applies to 15. I missed that.
--
Tzafrir Cohen | tzafrir at jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir at cohens.org.il | | best
tzafrir at debian.org | | friend
More information about the Pkg-voip-maintainers
mailing list