Bug#909554: asterisk: CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade

Salvatore Bonaccorso carnil at debian.org
Tue Sep 25 06:23:24 BST 2018


Source: asterisk
Version: 1:13.22.0~dfsg-2
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for asterisk.

CVE-2018-17281[0]:
| There is a stack consumption vulnerability in the
| res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x
| through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through
| 13.21-cert2. It allows an attacker to crash Asterisk via a specially
| crafted HTTP request to upgrade the connection to a websocket.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17281
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17281
[1] http://downloads.asterisk.org/pub/security/AST-2018-009.html
[2] https://issues.asterisk.org/jira/browse/ASTERISK-28013

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-voip-maintainers mailing list