Summary: | <net-misc/asterisk-13.29.1: Multiple vulnerabilities (CVE-2019-{12827,13161,15297,15639}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chainsaw, jaco |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check-
|
Hardware: | All | ||
OS: | Linux | ||
URL: | http://downloads.asterisk.org/pub/security/AST-2019-003.html | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=602722 https://github.com/gentoo/gentoo/pull/15350 |
||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
net-libs/pjproject-2.7.2-r1
net-misc/asterisk-13.32.0-r1
|
Runtime testing required: | No |
Bug Depends on: | 705754 | ||
Bug Blocks: |
Description
D'juan McDonald (domhnall)
2019-07-13 19:24:07 UTC
Adding http://downloads.asterisk.org/pub/security/AST-2019-004.html Adding http://downloads.asterisk.org/pub/security/AST-2019-005.html asterisk 13.29.1 has been committed to tree. It does however need stabilization. Note that http://downloads.asterisk.org/pub/security/AST-2019-004.html is not relevant since asterisk 13 isn't affected by that particular CVE. It's been a month. Please advise on process. (In reply to Jaco Kroon from comment #4) > It's been a month. Please advise on process. You're doing the right thing so far, don't worry. amd64 stable @x86: ping x86 stable. Maintainer(s), please cleanup. Security, please vote. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. I'll clean up once https://bugs.gentoo.org/602722 is handled as well. Perhaps these two should be merged. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a11218e8b8cebddcca01bf3d4198dd08497bcbc8 commit a11218e8b8cebddcca01bf3d4198dd08497bcbc8 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2020-04-15 07:33:27 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-04-17 07:35:54 +0000 net-misc/asterisk: cleanup. Bug: https://bugs.gentoo.org/602722 Bug: https://bugs.gentoo.org/689796 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/15350 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 4 - net-misc/asterisk/asterisk-13.23.1.ebuild | 327 ----------------------------- net-misc/asterisk/asterisk-13.29.1.ebuild | 325 ----------------------------- net-misc/asterisk/asterisk-13.31.0.ebuild | 325 ----------------------------- net-misc/asterisk/asterisk-13.32.0.ebuild | 332 ------------------------------ 5 files changed, 1313 deletions(-) Unable to check for sanity:
> no match for package: net-misc/asterisk-13.31.0
Unable to check for sanity:
> no match for package: net-misc/asterisk-13.31.0-r1
Thanks! CVE-2019-15639 (https://nvd.nist.gov/vuln/detail/CVE-2019-15639): main/translate.c in Sangoma Asterisk 13.28.0 and 16.5.0 allows a remote attacker to send a specific RTP packet during a call and cause a crash in a specific scenario. CVE-2019-15297 (https://nvd.nist.gov/vuln/detail/CVE-2019-15297): res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. GLSA Vote: No Thank you all for you work. Closing as [noglsa]. |