[SECURITY] [DLA 3925-1] asterisk security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3925-1] asterisk security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 20 Oct 2024 21:27:27 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2410202121190.29926@postfach.intern.alteholz.me>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3925-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
October 20, 2024                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : asterisk
Version        : 1:16.28.0~dfsg-0+deb11u5
CVE ID         : CVE-2024-42365 CVE-2024-42491

Two issues have been found in asterisk, an Open Source Private BranchExchange.


CVE-2024-42365

    Due to a privilege escalation, remote code execution and/or
    blind server-side request forgery with arbitrary protocol are
    possible.

CVE-2024-42491

    Due to bad handling of malformed Contact or Record-Route URI in an
    incoming  SIP request, Asterisk might crash when res_resolver_unbound
    is used.

Thanks to Niels Galjaard, a minor privilege escalation has been fixed.More information about ths can be found at:

https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2024-July/038664.html


For Debian 11 bullseye, these problems have been fixed in version
1:16.28.0~dfsg-0+deb11u5.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmcVdb9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEdeiA/9EcKSMlShGJg8XyXHKfpZs9M8HrRYIt/re9qHAnYysami/hCHcSEEcwsg
jJ7FcRrUlk1Qk83XohXLY+KcdEj7ppR3UpEsLpzhd2sx1kSXA2Vm0PJ7syxR2tay
sUKt0vCG7XnpPYJe+NfkXZum6Emj/8Qbi/P8+TEnLCh30s5ELjMLK2ZJ6hdiF0nP
0zFZRGju6UzZEf3+ECsL+8Sn5JQH5PRgKcIhrAhQnt285nVmXFm/cBCOO8srSiia
QIyaP1c0hTwMfTIh5baUkEtwPSpdVhXpvD6jKVS67WfGNveG+ptYUFltfq2XwPsB
ISGCengyM4/vvgHzFHg+2+ic2LI3KuyX73bY47mikiswQ0y4/AIq1YeGcbUKQRFW
CJxhkOz5p9wjtgRaYryWlH5k1l5S7qo0YhWYsCAXXPz7w0LL7bEDziP+mIDGc7mb
J89sUvS29A/ITWJORnVAt1u9S7o2yfMoruMe2TwkFlEEihsHwuD85KvyGpSFoRga
hrSrTnYrCMws6ypQM84yBM7vC6aEQQAkReg1ogz5XJ18IMkynCmAXp6VeuGzDZgY
NDp8TtcUYceOshJF7TJhWyghjGuq17Kly8FhVVLFkj05NyjH+N0QFRuoEx8cgoNi
OlPpTxh2Bc8LWLKPVA7hfLO353tLGIOqEc202fmcRuVzvt1SKEQ=
=hIrq
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3924-1] php-horde-mime-viewer security update
Next by Date: [SECURITY] [DLA 3926-1] perl security update
Previous by thread: [SECURITY] [DLA 3924-1] php-horde-mime-viewer security update
Next by thread: [SECURITY] [DLA 3926-1] perl security update
Index(es):
- Date
- Thread