Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 753269 (AST-2020-0001, AST-2020-0002) - <net-misc/asterisk-{13.38.1,16.15.1}: Multiple vulnerabilities (AST-2020-{0001,0002})
Summary: <net-misc/asterisk-{13.38.1,16.15.1}: Multiple vulnerabilities (AST-2020-{000...
Status: RESOLVED FIXED
Alias: AST-2020-0001, AST-2020-0002
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ blocked]
Keywords:
Depends on: AST-2020-003, AST-2020-004
Blocks:
  Show dependency tree
 
Reported: 2020-11-06 01:31 UTC by Sam James
Modified: 2021-01-12 17:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-06 01:31:10 UTC
AST-2020-001: Remote crash in res_pjsip_session
Upon receiving a new SIP Invite, Asterisk did not return the created dialog
locked or referenced.

AST-2020-002: Outbound INVITE loop on challenge with different nonce.
If Asterisk is challenged on an outbound INVITE and the nonce is changed in
each response, Asterisk will continually send INVITEs in a loop. This causes
Asterisk to consume more and more memory since the transaction will never
terminate (even if the call is hung up), ultimately leading to a restart or
shutdown of Asterisk. Outbound authentication must be configured on the
endpoint for this to occur.
Comment 2 Sam James archtester gentoo-dev Security 2020-11-20 16:31:10 UTC
Ping.

[ASTERISK-29057] -
pjsip: Crash on call rejection during high load
(Reported by Sandro Gauci)

is fixed in 13.38.0, 16.5.0, 17.9.0, 18.1.0.
Comment 3 Sam James archtester gentoo-dev Security 2020-12-16 07:08:39 UTC
ping, CI is red on pr
Comment 4 Jaco Kroon 2020-12-23 13:09:45 UTC
(In reply to Sam James from comment #3)
> ping, CI is red on pr

Yea, sorry, due to previous GLSA that decided to include 11.  I've now moved that to a private overlay to fix the problem, and also incorporated the lua changes else that's going to cause problems.  dep on :0= vs :*.
Comment 5 Larry the Git Cow gentoo-dev 2020-12-23 21:31:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d807d52318c0e9363034619a852e6d153b926e78

commit d807d52318c0e9363034619a852e6d153b926e78
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2020-11-24 08:50:07 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-12-23 21:31:08 +0000

    net-misc/asterisk: 16.15.1 (sec bump)
    
    Bug: https://bugs.gentoo.org/753269
    Bug: https://bugs.gentoo.org/761313
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-16.15.1.ebuild | 304 ++++++++++++++++++++++++++++++
 2 files changed, 305 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5c5f8698c11a73a5685fc3e11a3098bec854423

commit d5c5f8698c11a73a5685fc3e11a3098bec854423
Author:     Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2020-11-24 08:30:30 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-12-23 21:31:05 +0000

    net-misc/asterisk: version 13.38.1 (sec update)
    
    Bug: https://bugs.gentoo.org/753269
    Bug: https://bugs.gentoo.org/761313
    Signed-off-by: Jaco Kroon <jaco@uls.co.za>
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-misc/asterisk/Manifest                |   1 +
 net-misc/asterisk/asterisk-13.38.1.ebuild | 299 ++++++++++++++++++++++++++++++
 2 files changed, 300 insertions(+)
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-01-12 17:59:25 UTC
This issue was resolved and addressed in
 GLSA 202101-10 at https://security.gentoo.org/glsa/202101-10
by GLSA coordinator Aaron Bauman (b-man).