Bug#1018073: asterisk: CVE-2019-15297 AST-2021-006 crash when receiving m=image 0 udptl t38 re-invite fixed in 16.16.2

Salvatore Bonaccorso carnil at debian.org
Fri Aug 26 08:51:33 BST 2022


Hi Benoit,

On Fri, Aug 26, 2022 at 09:28:01AM +0200, Benoît Panizzon wrote:
> Hi Salvatore
> 
> > I'm not sure it make sense that the CVE-2019-15297 was used both for
> > AST-2019-004 and AST-2021-006. I asked MITRE CNA to see if there is a
> > reason not to assign a new CVE for AST-2021-006.
> > 
> > I suspect many have missed otherwise the update through AST-2021-006
> > because did already tracked the CVE-2019-15297 / AST-2019-004 and
> > updated packages accordingly (which happened in Debian with the
> > 1:16.10.0~dfsg-1 and 1:16.2.1~dfsg-1+deb10u2 updates).
> 
> Thank you for looking into the issue. You closed the bug. I'm not sure
> what this now means as the issue is present in the actual debian
> 'stable' version of Asterisk and can be exploited by a caller.

This is not a problem, BTS has version tracking and the bug is closed
in a specific upper version containing the fix. Debian BTS can then
close a bug in multiple version, e.g. when it get fixed as well in
stable.

https://bugs.debian.org/cgi-bin/version.cgi?collapse=1;absolute=0;fixed=asterisk%2F1%3A18.9.0~dfsg%2B~cs6.10.40431411-1;info=1;package=asterisk;found=asterisk%2F1%3A16.16.1~dfsg-1%2Bdeb11u1;found=asterisk%2F1%3A16.16.1~dfsg-1

> So is there going to be a security update for that issue?

We have asterisk on the so called dsa-needed list, meaning it is aimed
to have a security update for asterisk for bullseye:

https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dsa-needed.txt

Regards,
Salvatore



More information about the Pkg-voip-maintainers mailing list