CVE-2017-14603 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14603): In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report. References: http://downloads.asterisk.org/pub/security/AST-2017-008.html https://issues.asterisk.org/jira/browse/ASTERISK-27274 http://www.debian.org/security/2017/dsa-3990
Stabilization for version 11.25.3 will be done in bug 629682.
Added to an existing GLSA request. Gentoo Security Padawan (jmbailey/mbailey_j)
This issue was resolved and addressed in GLSA 201710-29 at https://security.gentoo.org/glsa/201710-29 by GLSA coordinator Aaron Bauman (b-man).