[SECURITY] [DLA 3696-1] asterisk security update

To: debian-lts-announce <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3696-1] asterisk security update
From: Markus Koschany <apo@debian.org>
Date: Fri, 29 Dec 2023 00:01:50 +0100
Message-id: <[🔎] e519e9f0691c5db25f3cd4774c0cdec7055ec518.camel@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3696-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Markus Koschany
December 28, 2023                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : asterisk
Version        : 1:16.28.0~dfsg-0+deb10u4
CVE ID         : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786
Debian Bug     : 1059303 1059032 1059033

Multiple security vulnerabilities have been discovered in Asterisk, an Open
Source Private Branch Exchange.

CVE-2023-37457

    The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
    the available buffer space for storing the new value of a header. By doing
    so this can overwrite memory or cause a crash. This is not externally
    exploitable, unless dialplan is explicitly written to update a header based
    on data from an outside source. If the 'update' functionality is not used
    the vulnerability does not occur.

CVE-2023-38703

    PJSIP is a free and open source multimedia communication library written in
    C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
    higher level media transport which is stacked upon a lower level media
    transport such as UDP and ICE. Currently a higher level transport is not
    synchronized with its lower level transport that may introduce a
    use-after-free issue. This vulnerability affects applications that have
    SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
    transport other than UDP. This vulnerability’s impact may range from
    unexpected application termination to control flow hijack/memory
    corruption.

CVE-2023-49294

    It is possible to read any arbitrary file even when the `live_dangerously`
    option is not enabled.

CVE-2023-49786

   Asterisk is susceptible to a DoS due to a race condition in the hello
   handshake phase of the DTLS protocol when handling DTLS-SRTP for media
   setup. This attack can be done continuously, thus denying new DTLS-SRTP
   encrypted calls during the attack. Abuse of this vulnerability may lead to
   a massive Denial of Service on vulnerable Asterisk servers for calls that
   rely on DTLS-SRTP.

For Debian 10 buster, these problems have been fixed in version
1:16.28.0~dfsg-0+deb10u4.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: [SECURITY] [DLA 3695-1] ansible security update
Next by Date: [SECURITY] [DLA 3697-1] firefox-esr security update
Previous by thread: [SECURITY] [DLA 3695-1] ansible security update
Next by thread: [SECURITY] [DLA 3697-1] firefox-esr security update
Index(es):
- Date
- Thread