Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 761313 (AST-2020-003, AST-2020-004, CVE-2020-35652)

Summary: <net-misc/asterisk-{13.38.1,16.15.1}: Multiple vulnerabilities (AST-2020-{003,004})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jaco, proxy-maint
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/18410
Whiteboard: B3 [glsa+]
Package list:
net-misc/asterisk-13.38.1 amd64 x86
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 753269    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 03:23:32 UTC 
AST-2020-003:
A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.

AST-2020-004:
A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.

Fixed in 13.38.1 and 16.15.1.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 03:23:49 UTC 
Please bump.
Comment 2 Larry the Git Cow gentoo-dev 2020-12-23 21:31:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d807d52318c0e9363034619a852e6d153b926e78

commit d807d52318c0e9363034619a852e6d153b926e78
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2020-11-24 08:50:07 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-12-23 21:31:08 +0000

    net-misc/asterisk: 16.15.1 (sec bump)
    
    Bug: https://bugs.gentoo.org/753269
    Bug: https://bugs.gentoo.org/761313
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-16.15.1.ebuild | 304 ++++++++++++++++++++++++++++++
 2 files changed, 305 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5c5f8698c11a73a5685fc3e11a3098bec854423

commit d5c5f8698c11a73a5685fc3e11a3098bec854423
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2020-11-24 08:30:30 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-12-23 21:31:05 +0000

    net-misc/asterisk: version 13.38.1 (sec update)
    
    Bug: https://bugs.gentoo.org/753269
    Bug: https://bugs.gentoo.org/761313
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-13.38.1.ebuild | 299 ++++++++++++++++++++++++++++++
 2 files changed, 300 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 21:50:51 UTC 
Please proceed with stabilization when ready.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-01 23:00:30 UTC 
amd64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 10:06:14 UTC 
x86 done

all arches done
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-01-12 17:59:28 UTC 
This issue was resolved and addressed in
 GLSA 202101-10 at https://security.gentoo.org/glsa/202101-10
by GLSA coordinator Aaron Bauman (b-man).