* CVE-2018-12227 PJSIP endpoint presence disclosure when using ACL http://downloads.asterisk.org/pub/security/AST-2018-008.html When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints. * CVE-2018-17281 Remote crash vulnerability in HTTP websocket upgrade http://downloads.asterisk.org/pub/security/AST-2018-009.html There is a stack overflow vulnerability in the res_http_websocket.so module of Asterisk that allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. The attacker’s request causes Asterisk to run out of stack space and crash.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8979cd86bc10fb98bb70fc9a710d17912af73982 commit 8979cd86bc10fb98bb70fc9a710d17912af73982 Author: Tony Vroon <chainsaw@gentoo.org> AuthorDate: 2018-10-17 08:26:36 +0000 Commit: Tony Vroon <chainsaw@gentoo.org> CommitDate: 2018-10-17 08:29:28 +0000 net-misc/asterisk: CVE-2018-12227, CVE-2018-17281 Version bump to 13.23.1 to address 2 security vulnerabilities. CVE-2018-12227: PJSIP information disclosure SIP requests blocked by ACL respond 403 for an endpoint that exists and 401 for an endpoint that does not, allowing an attacker to identify valid accounts. CVE-2018-17281: HTTP websocket stack overflow An attacker can exhaust available stack space and crash the running Asterisk instance by sending a specially crafted HTTP request to res_http_websocket.so Bug: https://bugs.gentoo.org/668848 Signed-Off-By: Tony Vroon <chainsaw@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.11 net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-13.23.1.ebuild | 327 ++++++++++++++++++++++++++++++ 2 files changed, 328 insertions(+)
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
Clean-up is complete. Maintainer recommends GLSA due to remote crash & information disclosure.
Can you please verify that the bugs in Bug #645710 and Bug #636972 are fixed as part of this version release. We can then release a GLSA for all three of them.
(In reply to Yury German from comment #5) > Can you please verify that the bugs in Bug #645710 and Bug #636972 are fixed > as part of this version release. We can then release a GLSA for all three of > them. "13.18.4 and older" // CVE-2017-17850 // #645710 <- Yes "before 13.18.1" // CVE-2017-16672 // #636972 <- Yes "before 13.18.1" // CVE-2017-16671 // #636972 <- Yes
Thank you for feedback and the work, GLSA Request created for all 3 Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201811-11 at https://security.gentoo.org/glsa/201811-11 by GLSA coordinator Aaron Bauman (b-man).
