Source: asterisk Version: 1:16.12.0~dfsg-1 Severity: important Tags: security upstream Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-29013 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for asterisk. CVE-2020-28242[0]: | An issue was discovered in Asterisk Open Source 13.x before 13.37.1, | 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and | Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an | outbound INVITE and the nonce is changed in each response, Asterisk | will continually send INVITEs in a loop. This causes Asterisk to | consume more and more memory since the transaction will never | terminate (even if the call is hung up), ultimately leading to a | restart or shutdown of Asterisk. Outbound authentication must be | configured on the endpoint for this to occur. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28242 [1] https://issues.asterisk.org/jira/browse/ASTERISK-29013 [2] https://downloads.asterisk.org/pub/security/AST-2020-002.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
