Back to asterisk PTS page

Accepted asterisk 1:16.28.0~dfsg-0+deb11u4 (source) into oldstable-proposed-updates



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu,  4 Jan 2024 19:05:44 CET
Source: asterisk
Architecture: source
Version: 1:16.28.0~dfsg-0+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 0590e657d08f208eb8f9fccbe9a1c31294540614 4359 asterisk_16.28.0~dfsg-0+deb11u4.dsc
 69439198e7a88afb49a83219fdd3479314aeda78 6870856 asterisk_16.28.0~dfsg-0+deb11u4.debian.tar.xz
 5775e13f675a7400e2433634a8b764cc53c3ca9e 29266 asterisk_16.28.0~dfsg-0+deb11u4_amd64.buildinfo
Checksums-Sha256:
 ff5337a9fda4c88d33fa2acc6fd453d361aa9afe34b1e5eefc5deeb81ec0a1e7 4359 asterisk_16.28.0~dfsg-0+deb11u4.dsc
 90443c1e17423b4b4894de5e1c077c3e51d0b1890855be321235fe6f4f0b8d50 6870856 asterisk_16.28.0~dfsg-0+deb11u4.debian.tar.xz
 af7e6f0d77e3494549e6ff3529f79b0c4ca8766b836bb57bdb979d6a8deb7e23 29266 asterisk_16.28.0~dfsg-0+deb11u4_amd64.buildinfo
Changes:
 asterisk (1:16.28.0~dfsg-0+deb11u4) bullseye-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2023-37457:
     The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
     the available buffer space for storing the new value of a header. By doing
     so this can overwrite memory or cause a crash. This is not externally
     exploitable, unless dialplan is explicitly written to update a header based
     on data from an outside source. If the 'update' functionality is not used
     the vulnerability does not occur.
   * Fix CVE-2023-38703:
     PJSIP is a free and open source multimedia communication library written in
     C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
     higher level media transport which is stacked upon a lower level media
     transport such as UDP and ICE. Currently a higher level transport is not
     synchronized with its lower level transport that may introduce a
     use-after-free issue. This vulnerability affects applications that have
     SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
     transport other than UDP. This vulnerability’s impact may range from
     unexpected application termination to control flow hijack/memory
     corruption.
   * Fix CVE-2023-49294:
     It is possible to read any arbitrary file even when the `live_dangerously`
     option is not enabled.
   * Fix CVE-2023-49786:
     Asterisk is susceptible to a DoS due to a race condition in the hello
     handshake phase of the DTLS protocol when handling DTLS-SRTP for media
     setup. This attack can be done continuously, thus denying new DTLS-SRTP
     encrypted calls during the attack. Abuse of this vulnerability may lead to
     a massive Denial of Service on vulnerable Asterisk servers for calls that
     rely on DTLS-SRTP.
Files:
 aaa15c1433f6437c1a2dbc9f0234c5d8 4359 comm optional asterisk_16.28.0~dfsg-0+deb11u4.dsc
 52abf2e8af28575644bdc0c72539237f 6870856 comm optional asterisk_16.28.0~dfsg-0+deb11u4.debian.tar.xz
 df61447cb86af1d39448043cf64966bb 29266 comm optional asterisk_16.28.0~dfsg-0+deb11u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmWW9rFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkOO8P/Rt0ON6gkhK6NAmmCYV1W2fWdtfB8C9yh2iU
ukdwqoUBI4Gr9RqTpbZeoA4sP12JIpOcl7xeLELjDja+sHLf8S6T/5H0+sR+JQdm
KF2z7sHSenhgTyjx6NFXnpCEL78p8pDogTZ3Gd7gp+BcLFhtJdMYszZOPYJVMwSm
+z5UeBvE5I7tHerhlo6HfKHBfA+dhYDpU+Aqm+ETzsWtertRN823Z5e4AySVOkOi
t/aCxCC4+sjkyCnmM/eMZoueR+VnSQ4mbPISYtCcG3uK4WOMelTA4ycCqMP0CwvJ
2epBrD6lL500g0M9Yu9RsYDgu+uSj+mTN8kpMVYYZhOCFGHYw7Uj43RPyJi9AR2q
SaKj/+00fNsVT/usL3QNGeLaZspM7GSNM0UWZd8S38jM2cxSokLTQZoawjfcgXBJ
zEVRg6tEdDBge42Zk26dp36aou1AZntaJFQwWuw175VhvJi4VxnNGnWOxBLRquey
Q3kP6Z/Te8qqHl5UovgrnpwfW+RZ5a6/l/pk8BHSqZ9BA3y0dKlmFuR7n4WFmDMN
6eXZzPERqDzMKFglwW0Ybtl0Bxg8FltKYweBSP1qWcrPw+YJD9BmVUzYWdgDzvGI
HfOfFkfyMybBYgohmInIk0FemxKFPKRkFNvC80k4HYgCBtJ0lpN6a11EuTk92Ir9
iDJfaWc6
=qZbr
-----END PGP SIGNATURE-----

Attachment: pgpBKJPQ5hucA.pgp
Description: PGP signature