(https://nvd.nist.gov/vuln/detail/CVE-2019-13161): An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration). Gentoo Security Padawan (domhnall)
See Also: http://downloads.asterisk.org/pub/security/AST-2019-002.html
Adding http://downloads.asterisk.org/pub/security/AST-2019-004.html Adding http://downloads.asterisk.org/pub/security/AST-2019-005.html
asterisk 13.29.1 has been committed to tree. It does however need stabilization. Note that http://downloads.asterisk.org/pub/security/AST-2019-004.html is not relevant since asterisk 13 isn't affected by that particular CVE.
It's been a month. Please advise on process.
(In reply to Jaco Kroon from comment #4) > It's been a month. Please advise on process. You're doing the right thing so far, don't worry.
amd64 stable
@x86: ping
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
I'll clean up once https://bugs.gentoo.org/602722 is handled as well. Perhaps these two should be merged.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a11218e8b8cebddcca01bf3d4198dd08497bcbc8 commit a11218e8b8cebddcca01bf3d4198dd08497bcbc8 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2020-04-15 07:33:27 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-04-17 07:35:54 +0000 net-misc/asterisk: cleanup. Bug: https://bugs.gentoo.org/602722 Bug: https://bugs.gentoo.org/689796 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/15350 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 4 - net-misc/asterisk/asterisk-13.23.1.ebuild | 327 ----------------------------- net-misc/asterisk/asterisk-13.29.1.ebuild | 325 ----------------------------- net-misc/asterisk/asterisk-13.31.0.ebuild | 325 ----------------------------- net-misc/asterisk/asterisk-13.32.0.ebuild | 332 ------------------------------ 5 files changed, 1313 deletions(-)
Unable to check for sanity: > no match for package: net-misc/asterisk-13.31.0
Unable to check for sanity: > no match for package: net-misc/asterisk-13.31.0-r1
Thanks!
CVE-2019-15639 (https://nvd.nist.gov/vuln/detail/CVE-2019-15639): main/translate.c in Sangoma Asterisk 13.28.0 and 16.5.0 allows a remote attacker to send a specific RTP packet during a call and cause a crash in a specific scenario.
CVE-2019-15297 (https://nvd.nist.gov/vuln/detail/CVE-2019-15297): res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk.
GLSA Vote: No Thank you all for you work. Closing as [noglsa].