PJSIP endpoint presence disclosure when using ACL
When endpoint specific ACL rules block a SIP request they respond with a 403
forbidden. However, if an endpoint is not identified then a 401 unauthorized
response is sent. This vulnerability just discloses which requests hit a
defined endpoint. The ACL rules cannot be bypassed to gain access to the
Remote crash vulnerability in HTTP websocket upgrade
There is a stack overflow vulnerability in the res_http_websocket.so module
of Asterisk that allows an attacker to crash Asterisk via a specially crafted
HTTP request to upgrade the connection to a websocket. The attacker’s request
causes Asterisk to run out of stack space and crash.
The bug has been referenced in the following commit(s):
Author: Tony Vroon <email@example.com>
AuthorDate: 2018-10-17 08:26:36 +0000
Commit: Tony Vroon <firstname.lastname@example.org>
CommitDate: 2018-10-17 08:29:28 +0000
net-misc/asterisk: CVE-2018-12227, CVE-2018-17281
Version bump to 13.23.1 to address 2 security vulnerabilities.
CVE-2018-12227: PJSIP information disclosure
SIP requests blocked by ACL respond 403 for an endpoint that
exists and 401 for an endpoint that does not, allowing an
attacker to identify valid accounts.
CVE-2018-17281: HTTP websocket stack overflow
An attacker can exhaust available stack space and crash the
running Asterisk instance by sending a specially crafted HTTP
request to res_http_websocket.so
Signed-Off-By: Tony Vroon <email@example.com>
Package-Manager: Portage-2.3.49, Repoman-2.3.11
net-misc/asterisk/Manifest | 1 +
net-misc/asterisk/asterisk-13.23.1.ebuild | 327 ++++++++++++++++++++++++++++++
2 files changed, 328 insertions(+)
Maintainer(s), please cleanup.
Security, please vote.
Clean-up is complete. Maintainer recommends GLSA due to remote crash & information disclosure.
Can you please verify that the bugs in Bug #645710 and Bug #636972 are fixed as part of this version release. We can then release a GLSA for all three of them.
(In reply to Yury German from comment #5)
> Can you please verify that the bugs in Bug #645710 and Bug #636972 are fixed
> as part of this version release. We can then release a GLSA for all three of
"13.18.4 and older" // CVE-2017-17850 // #645710 <- Yes
"before 13.18.1" // CVE-2017-16672 // #636972 <- Yes
"before 13.18.1" // CVE-2017-16671 // #636972 <- Yes
Thank you for feedback and the work, GLSA Request created for all 3
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in
GLSA 201811-11 at https://security.gentoo.org/glsa/201811-11
by GLSA coordinator Aaron Bauman (b-man).