Bug#1018073: asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2

Benoît Panizzon panizzon at woody.ch
Fri Aug 26 08:28:01 BST 2022


Hi Salvatore

> I'm not sure it make sense that the CVE-2019-15297 was used both for
> AST-2019-004 and AST-2021-006. I asked MITRE CNA to see if there is a
> reason not to assign a new CVE for AST-2021-006.
> 
> I suspect many have missed otherwise the update through AST-2021-006
> because did already tracked the CVE-2019-15297 / AST-2019-004 and
> updated packages accordingly (which happened in Debian with the
> 1:16.10.0~dfsg-1 and 1:16.2.1~dfsg-1+deb10u2 updates).

Thank you for looking into the issue. You closed the bug. I'm not sure
what this now means as the issue is present in the actual debian
'stable' version of Asterisk and can be exploited by a caller.

So is there going to be a security update for that issue?

-Benoît-



More information about the Pkg-voip-maintainers mailing list