Bug#909554: asterisk: CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade
Salvatore Bonaccorso
carnil at debian.org
Tue Sep 25 06:23:24 BST 2018
Source: asterisk
Version: 1:13.22.0~dfsg-2
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for asterisk.
CVE-2018-17281[0]:
| There is a stack consumption vulnerability in the
| res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x
| through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through
| 13.21-cert2. It allows an attacker to crash Asterisk via a specially
| crafted HTTP request to upgrade the connection to a websocket.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17281
[1] http://downloads.asterisk.org/pub/security/AST-2018-009.html
[2] https://issues.asterisk.org/jira/browse/ASTERISK-28013
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list