Back to asterisk PTS page

Accepted asterisk 1:16.28.0~dfsg-0+deb10u4 (source) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted asterisk 1:16.28.0~dfsg-0+deb10u4 (source) into oldoldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 28 Dec 2023 22:10:18 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: asterisk_16.28.0~dfsg-0+deb10u4_source.changes
Debian-source: asterisk
Debian-suite: oldoldstable
Debian-version: 1:16.28.0~dfsg-0+deb10u4
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=YDCzczLKKammDLILYCznmEYLeuHLyku+zhe+RDE+jkU=; b=Bz+t++xzVINabvatOWGCJ4DGrr G6uBs9WaCFybltswQD5qiOUoHAH8FgmJyni85x659ElonWwKIAjmx22JG5u3gEubk43k76/2XBAU/ ZR+AZ68Cd368FfWM/AsMC1CGpG//cSrRmiWp+Ma8VXV/Ps1l0ipYIwS2rmx7GnLE8NoryK9fcOUHM /u9zfp9t9vcUiID4rRhSf38g74fYgU49iOyy5DoKA27c2n7w5DC9Smg8A4d5GZl0i/Xm1AkByO6L+ dmNncXMn2T5zr4kimqChLq2n3Zwsf3MgTJuiTNYBpXfpK8yWPAkwGrOjX+ktXTdDVdMV35a/9RSIK 8lsrRkww==;
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1rIya2-00BRjM-EH@seger.debian.org>
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Dec 2023 22:49:40 CET
Source: asterisk
Architecture: source
Version: 1:16.28.0~dfsg-0+deb10u4
Distribution: buster-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 79db372fb940e706fc3ac25880bcc2cf905a83cf 4397 asterisk_16.28.0~dfsg-0+deb10u4.dsc
 18b58311b36d03f407db0064ea9ccea790bbf9a7 6867956 asterisk_16.28.0~dfsg-0+deb10u4.debian.tar.xz
 f1c2145eee1dc2673cfb450c6d907dec21c0cb96 28820 asterisk_16.28.0~dfsg-0+deb10u4_amd64.buildinfo
Checksums-Sha256:
 e275610beebe0e10b5f33ee8fb1509a215ad65e473cabff6db8bd241b99b976a 4397 asterisk_16.28.0~dfsg-0+deb10u4.dsc
 10faf1747ccd95565cc0ce4d814ca2b779dbd9ee6ed27d98b49abd806e9a8641 6867956 asterisk_16.28.0~dfsg-0+deb10u4.debian.tar.xz
 13393c72acbc6a0e9a9452491eb824fc7670fea2d5da6fb4e8b1ab64ccb2726d 28820 asterisk_16.28.0~dfsg-0+deb10u4_amd64.buildinfo
Changes:
 asterisk (1:16.28.0~dfsg-0+deb10u4) buster-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2023-37457:
     The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
     the available buffer space for storing the new value of a header. By doing
     so this can overwrite memory or cause a crash. This is not externally
     exploitable, unless dialplan is explicitly written to update a header based
     on data from an outside source. If the 'update' functionality is not used
     the vulnerability does not occur.
   * Fix CVE-2023-38703:
     PJSIP is a free and open source multimedia communication library written in
     C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
     higher level media transport which is stacked upon a lower level media
     transport such as UDP and ICE. Currently a higher level transport is not
     synchronized with its lower level transport that may introduce a
     use-after-free issue. This vulnerability affects applications that have
     SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
     transport other than UDP. This vulnerability’s impact may range from
     unexpected application termination to control flow hijack/memory
     corruption.
   * Fix CVE-2023-49294:
     It is possible to read any arbitrary file even when the `live_dangerously`
     option is not enabled.
   * Fix CVE-2023-49786:
     Asterisk is susceptible to a DoS due to a race condition in the hello
     handshake phase of the DTLS protocol when handling DTLS-SRTP for media
     setup. This attack can be done continuously, thus denying new DTLS-SRTP
     encrypted calls during the attack. Abuse of this vulnerability may lead to
     a massive Denial of Service on vulnerable Asterisk servers for calls that
     rely on DTLS-SRTP.
Files:
 21366c1a9ddb35048d5e3fbdebe6ed2f 4397 comm optional asterisk_16.28.0~dfsg-0+deb10u4.dsc
 7d339bbea58ec7f0d6a968d940823a23 6867956 comm optional asterisk_16.28.0~dfsg-0+deb10u4.debian.tar.xz
 35b01548b55180915df44daab5958533 28820 comm optional asterisk_16.28.0~dfsg-0+deb10u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmWN7X9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkoKMQAJLDvHXpr9ZnoPR4tPBze0S/efxfzFBwfpJG
hAiXSWsv47/RNdH4PKBlqIxTgLLRn6SkBu/ra9CfWCEIqWAegpehkm6I/9ur4Wwl
jYAevu7mnSukyhe3zuoxhLXkJa1IJAB4DmOhiJmcOSfNtsRK5evtiwviHVyH8CTt
h+qIo0asgGsjxFLbggS7oPisiCMBGMC8txRJ8zgjnL3MG9UTEh0aFDjbtAeGX0IN
A4lm6yAqPl1fIYPuqA4OJWW70HZoUfo5uo/i5YCTf1274wm+HwI4w/+wFaSSwXy+
vbx63t0qFbU29dvzDr2/PxTlVNnu01+5rb45Yc2jGG6pRyhopiWXi5HI+MY1LuZM
j9Ub5mgseD1rFvpy//wjFVvCXQczTwMaZ23cOAxQdTJvDdlU+XXiN+gCI8b+tSEa
1d08zpXYMQtHe3w09MwHY92lhFamkBDxVY8lyRpZKITN1J+y4L5ovf6ODk+wvCbN
bRZ/I7AITh63kWlRORp2/Alb2RQCVAi4Ki9BLOuxZSwlcHyOBep3WHwBYiTeKUu6
pstnWR1Cm6fNaMPdZrr5Ya/GWCK2TqKiGIssRIpQuqre01nzZV1OgJuzAtb8x8SA
H/tMIvo5uiqAlnME0trPyzJmMr1OX/0G73ufAMgt1e0tiakqOoqRiy8T3X+zLJXN
O6vSrLq1
=tSzE
-----END PGP SIGNATURE-----