Bug#1018073: asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2

Benoit Panizzon panizzon at woody.ch
Thu Aug 25 09:39:53 BST 2022 

Package: asterisk
Version: 1:16.16.1~dfsg-1+deb11u1
Severity: grave
Tags: security
Justification: causes non-serious data loss
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Dear Maintainer,

I noticed my asterisk crashing when receiving a re-invite with

m=image 0 udptl t38

from non t38 aware clients like certains snom and Grandstream phones calling the Application ReceiveFax.

Turns out this is a known security issue that has been fixed:

https://downloads.asterisk.org/pub/security/AST-2021-006.html

Please also push 16.16.2 to the debian security updates.

-Benoit-

-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-14-amd64 (SMP w/4 CPU threads)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages asterisk depends on:
ii  adduser                  3.118
ii  asterisk-config          1:16.16.1~dfsg-1+deb11u1
ii  asterisk-core-sounds-en  1.6.1-1
ii  asterisk-modules         1:16.16.1~dfsg-1+deb11u1
ii  libc6                    2.31-13+deb11u3
ii  libcap2                  1:2.44-1
ii  libcrypt1                1:4.4.18-4
ii  libedit2                 3.1-20191231-2+b1
ii  libjansson4              2.13.1-1.1
ii  libpopt0                 1.18-2
ii  libsqlite3-0             3.34.1-3
ii  libssl1.1                1.1.1n-0+deb11u3
ii  libsystemd0              247.3-7
ii  liburiparser1            0.9.4+dfsg-1+deb11u1
ii  libuuid1                 2.36.1-8+deb11u1
ii  libxml2                  2.9.10+dfsg-6.7+deb11u2
ii  libxslt1.1               1.1.34-4+deb11u1
ii  lsb-base                 11.1.0

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm                         2.03-1.1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:16.16.1~dfsg-1+deb11u1
ii  sox                                              14.4.2+git20190427-2

Versions of packages asterisk suggests:
pn  asterisk-dahdi   <none>
pn  asterisk-dev     <none>
pn  asterisk-doc     <none>
pn  asterisk-ooh323  <none>
ii  asterisk-opus    13.7+20171009-2
pn  asterisk-vpb     <none>

-- no debconf information

More information about the Pkg-voip-maintainers mailing list