Univention Bugzilla – Bug 47889
asterisk: Multiple issues (4.2)
Last modified: 2018-10-04 16:17:01 CEST
New Debian asterisk 1:11.13.1~dfsg-2+deb8u6 fixes: This update addresses the following issue: * There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. (CVE-2018-17281)
--- mirror/ftp/4.2/unmaintained/4.2-4/source/asterisk_11.13.1~dfsg-2+deb8u5.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/asterisk_11.13.1~dfsg-2+deb8u6.dsc @@ -1,3 +1,13 @@ +1:11.13.1~dfsg-2+deb8u6 [Thu, 27 Sep 2018 13:01:59 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2018-17281: + Sean Bright discoverd that Asterisk, a PBX and telephony toolkit, + contained a stack overflow vulnerability in the res_http_websocket.so + module that allowed remote attackers to crash Asterisk via specially + crafted HTTP requests to upgrade the connection to a websocket. + (Closes: #909554) + 1:11.13.1~dfsg-2+deb8u5 [Fri, 29 Dec 2017 23:24:50 +0200] Tzafrir Cohen <tzafrir@debian.org>: * CVE-2017-17090 / /AST-2017-013: memory leak from chan_skinny <http://10.200.17.11/4.2-5/#8226628997441194394>
OK: yaml OK: announce_errata OK: patch FAIL: piuparts [4.2-5] eaad8a9f7d Bug #47889: asterisk 1:11.13.1~dfsg-2+deb8u6 doc/errata/staging/asterisk.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) [4.2-5] fdacaec5ea Bug #47889: asterisk 1:11.13.1~dfsg-2+deb8u6 doc/errata/staging/asterisk.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) The piuparts test failed because our current version of Asterisk is already broken: - we already have version 1:11.13.1~dfsg-2+deb8u5 - that version already requires bin:libresample1 - src:libresample was last imported for UCS-4.0-0 but in unmaintained - it was never cherry-picked into maintained ??? But asterisk is maintained: REPOS/triggers/ucs_4.2-0.txt:asterisk-modules - this is Bug #46294 ! <http://xen1.knut.univention.de:8000/packages/source/asterisk/?since=4.0> <http://xen1.knut.univention.de:8000/packages/source/libresample/?since=4.0> $ dpkg-deb -f 4.2/maintained/4.2-0/amd64/asterisk-modules_11.13.1~dfsg-2+deb8u2_amd64.deb Depends | tr , '\n' | grep libresample libresample1 (>= 0.1.3) $ dpkg-deb -f 4.2/maintained/component/4.2-2-errata/amd64/asterisk-modules_11.13.1~dfsg-2+deb8u4_amd64.deb Depends | tr , '\n' | grep libresample libresample1 (>= 0.1.3) $ dpkg-deb -f 4.2/maintained/4.2-3/amd64/asterisk-modules_11.13.1~dfsg-2+deb8u4_amd64.deb Depends | tr , '\n' | grep libresample libresample1 (>= 0.1.3) $ dpkg-deb -f 4.2/maintained/4.2-4/amd64/asterisk-modules_11.13.1~dfsg-2+deb8u5_amd64.deb Depends | tr , '\n' | grep libresample libresample1 (>= 0.1.3) $ LANG=C apt-get -q -s install asterisk-modules The following packages have unmet dependencies: asterisk-modules : Depends: libresample1 (>= 0.1.3) but it is not installable [4.2-5] 2f8db13849 Bug #47889: libresample 0.1.3-4.4.201403262307 doc/errata/staging/libresample.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+)
<http://errata.software-univention.de/ucs/4.2/528.html> <http://errata.software-univention.de/ucs/4.2/529.html>