Summary: | <net-misc/asterisk-{18.20.2,20.5.2}: denial of service via dtls hello | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christopher Fore <csfore> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | ajak, jaco, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq | ||
See Also: | https://github.com/gentoo/gentoo/pull/34642 | ||
Whiteboard: | B3 [stable?] | ||
Package list: | Runtime testing required: | --- |
Description
Christopher Fore
2023-12-15 12:43:30 UTC
Looks like there were a few vulnerabilities fixed in 18.20.1/20.5.1 according to their release announcements (http://lists.digium.com/pipermail/asterisk-announce/2023-December/000895.html, http://lists.digium.com/pipermail/asterisk-announce/2023-December/000896.html): "The following security advisories were resolved in this release: - [Path traversal via AMI GetConfig allows access to outside files](https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f) - [Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation](https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq) - [PJSIP logging allows attacker to inject fake Asterisk log entries ](https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7) - [PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update'](https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh)" In order, these are: - CVE-2023-49294 - CVE-2023-49786 - no CVE (yet?) - CVE-2023-37457 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e024067d4fa9dc6181c04c764ee850c3ac862bd9 commit e024067d4fa9dc6181c04c764ee850c3ac862bd9 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-01-04 18:32:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-05 05:12:42 +0000 net-misc/asterisk: add 20.5.2 Bug: https://bugs.gentoo.org/920026 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Sam James <sam@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-20.5.2.ebuild | 358 +++++++++++++++++++++++++++++++ 2 files changed, 359 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f27df10719add680b313fc8c51c50d5f4bccd9c9 commit f27df10719add680b313fc8c51c50d5f4bccd9c9 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-01-04 15:01:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-05 05:12:42 +0000 net-misc/asterisk: add 18.20.2 Bug: https://bugs.gentoo.org/920026 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Sam James <sam@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-18.20.2.ebuild | 362 ++++++++++++++++++++++++++++++ 2 files changed, 363 insertions(+) Thanks! Please stable when ready. |