Bug#891227: asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request
Salvatore Bonaccorso
carnil at debian.org
Mon Feb 26 07:17:14 UTC 2018
Hi Tzafrir,
Sorry for the lack of earlier reply, cc'ing the security team alias.
On Sat, Feb 24, 2018 at 12:39:38PM +0100, Tzafrir Cohen wrote:
> On Sat, Feb 24, 2018 at 07:38:41AM +0100, Tzafrir Cohen wrote:
> > Hi,
> >
> > On Fri, Feb 23, 2018 at 04:04:52PM +0100, Salvatore Bonaccorso wrote:
> > > Source: asterisk
> > > Version: 1:13.18.5~dfsg-1
> > > Severity: grave
> > > Tags: patch security upstream
> >
> >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-7284
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7284
> > > [1] http://downloads.asterisk.org/pub/security/AST-2018-004.html
> > >
> > > Please adjust the affected versions in the BTS as needed.
> >
> > I'm still looking into this. For the record, there were six security
> > advisories reposrted by the Asterisk project for the recent release:
> >
> > - AST-2018-001 CVE-2018-7285: (Does not apply)
> > - AST-2018-002: Crash when given an invalid SDP media format description
> > - AST-2018-003: Crash with an invalid SDP fmtp attribute
>
> Those two are fixed in pjproject (specifically in 2.7.2). And probably
> need to be backported to Stretch as well.
And I think those two are missing CVEs. I'm going to request two. I'm
though not sure if they would warrant a DSA.
For CVE-2018-7285 we reached same conclusion, that it only applies to
15.x.
>
> > - AST-2018-004 CVE-2018-7284: Crash when receiving SUBSCRIBE request
> > (Closes: #891227)
> > - AST-2018-005 CVE-2018-7286: Crash when large numbers of TCP connections
> > are closed suddenly (Closes: #891227)
>
> Those two only apply to pjsip-related code. Thus they don't apply to
> oldstable. AST-004 patch seems to apply as-is to Stretch. AST-005 patch
> may require more work.
Alright, thanks for working on it!
> > - AST-2018-006 CVE-2018-7287: WebSocket frames with 0 sized payload causes
> > DoS
>
> Only applies to 15. I missed that.
Ack.
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list