Bug 48007 - asterisk: Multiple issues (4.3)
asterisk: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-17 12:23 CEST by Quality Assurance
Modified: 2018-10-17 14:57 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 0.0 () Debian


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-10-17 12:23:28 CEST
New Debian asterisk 1:13.14.1~dfsg-2+deb9u4 fixes:
This update addresses the following issues:
* A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x  through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through  13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub  module stores the accepted formats present in the Accept headers of the  request. This code did not limit the number of headers it processed,  despite having a fixed limit of 32. If more than 32 Accept headers were  present, the code would write outside of its memory and cause a crash.  (CVE-2018-7284)
* An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5,  and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2.  res_pjsip allows remote authenticated users to crash Asterisk (segmentation  fault) by sending a number of SIP INVITE messages on a TCP or TLS  connection and then suddenly closing the connection. (CVE-2018-7286)
* An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x  before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert  before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint  specific ACL rules block a SIP request, they respond with a 403 forbidden.  However, if an endpoint is not identified, then a 401 unauthorized response  is sent. This vulnerability just discloses which requests hit a defined  endpoint. The ACL rules cannot be bypassed to gain access to the disclosed  endpoints. (CVE-2018-12227)
* There is a stack consumption vulnerability in the res_http_websocket.so  module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through  15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to  crash Asterisk via a specially crafted HTTP request to upgrade the  connection to a websocket. (CVE-2018-17281)
Comment 1 Quality Assurance univentionstaff 2018-10-17 12:26:02 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/asterisk_13.14.1~dfsg-2+deb9u3.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/asterisk_13.14.1~dfsg-2+deb9u4.dsc
@@ -1,3 +1,14 @@
+1:13.14.1~dfsg-2+deb9u4 [Sun, 30 Sep 2018 23:24:10 +0200] Bernhard Schmidt <berni@debian.org>:
+
+  * AST-2018-004 / CVE-2018-7284: Crash when receiving SUBSCRIBE request
+    (Closes: #891227)
+  * AST-2018-005 / CVE-2018-7286: Crash when large numbers of TCP connections
+    are closed suddenly (Closes: #891228)
+  * AST-2018-008 / CVE-2018-12227: PJSIP endpoint presence disclosure when
+    using ACL (Closes: #902954)
+  * AST-2018-009 / CVE-2018-17281: Remote crash vulnerability in HTTP
+    websocket upgrade (Closes: #909554)
+
 1:13.14.1~dfsg-2+deb9u3 [Fri, 29 Dec 2017 16:27:08 +0200] Tzafrir Cohen <tzafrir@debian.org>:
 
   [ Tzafrir Cohen ]

<http://10.200.17.11/4.3-2/#6741352584252704116>
Comment 2 Philipp Hahn univentionstaff 2018-10-17 12:52:31 CEST
Add libresample.yaml from unmaintained 4.0-0
Comment 3 Quality Assurance univentionstaff 2018-10-17 12:53:29 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/asterisk_13.14.1~dfsg-2+deb9u3.dsc
+++ apt/ucs_4.3-0-errata4.3-2/source/asterisk_13.14.1~dfsg-2+deb9u4.dsc
@@ -1,3 +1,14 @@
+1:13.14.1~dfsg-2+deb9u4 [Sun, 30 Sep 2018 23:24:10 +0200] Bernhard Schmidt <berni@debian.org>:
+
+  * AST-2018-004 / CVE-2018-7284: Crash when receiving SUBSCRIBE request
+    (Closes: #891227)
+  * AST-2018-005 / CVE-2018-7286: Crash when large numbers of TCP connections
+    are closed suddenly (Closes: #891228)
+  * AST-2018-008 / CVE-2018-12227: PJSIP endpoint presence disclosure when
+    using ACL (Closes: #902954)
+  * AST-2018-009 / CVE-2018-17281: Remote crash vulnerability in HTTP
+    websocket upgrade (Closes: #909554)
+
 1:13.14.1~dfsg-2+deb9u3 [Fri, 29 Dec 2017 16:27:08 +0200] Tzafrir Cohen <tzafrir@debian.org>:
 
   [ Tzafrir Cohen ]

<http://10.200.17.11/4.3-2/#6726727707013117803>
Comment 4 Quality Assurance univentionstaff 2018-10-17 12:53:51 CEST

<http://10.200.17.11/4.3-2/#6726727707013117803>
Comment 5 Philipp Hahn univentionstaff 2018-10-17 12:59:43 CEST
OK: yaml
OK: announce_errata
OK: patch
~FAIL: piuparts
  Similar to Bug #47889 comment 2 libresample is currently unmaintained in
  UCS-4.3 and the current version of asterisk in UCS-4.3 cannot be installed
  because of it. As such piuparts cannot test the upgrade path and failed.

[4.3-2] 84f693a923 Bug #48007: asterisk 1:13.14.1~dfsg-2+deb9u4
 doc/errata/staging/asterisk.yaml | 37 ++++++++++++++-----------------------
 1 file changed, 14 insertions(+), 23 deletions(-)

[4.3-2] e8b6a301a7 Bug #48007: asterisk 1:13.14.1~dfsg-2+deb9u4
 doc/errata/staging/asterisk.yaml | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)