Your message dated Fri, 02 Jun 2017 13:03:39 +0000
with message-id <e1dgmet-0000mi...@fasolo.debian.org>
and subject line Bug#863906: fixed in asterisk 1:13.14.1~dfsg-2
has caused the Debian Bug report #863906,
regarding asterisk: CVE-2017-9358: AST-2017-004: Memory exhaustion on short
SCCP packets
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
863906: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863906
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:asterisk
Version: 1:13.0.0~dfsg-1
Severity: critical
Tags: security
Asterisk Project Security Advisory - AST-2017-004
Product Asterisk
Summary Memory exhaustion on short SCCP packets
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On April 13, 2017
Reported By Sandro Gauci
Posted On
Last Updated On April 13, 2017
Advisory Contact George Joseph <gjoseph AT digium DOT com>
CVE Name
Description A remote memory exhaustion can be triggered by sending an
SCCP packet to Asterisk system with “chan_skinny” enabled
that is larger than the length of the SCCP header but
smaller than the packet length specified in the header. The
loop that reads the rest of the packet doesn’t detect that
the call to read() returned end-of-file before the expected
number of bytes and continues infinitely. The “partial
data” message logging in that tight loop causes Asterisk to
exhaust all available memory.
Resolution If support for the SCCP protocol is not required, remove or
disable the module.
If support for SCCP is required, an upgrade to Asterisk will
be necessary.
Affected Versions
Product Release Series
Asterisk Open Source 11.x Unaffected
Asterisk Open Source 13.x All versions
Asterisk Open Source 14.x All versions
Certified Asterisk 13.13 All versions
Corrected In
Product Release
Asterisk Open Source 13.15.1, 14.4.1
Certified Asterisk 13.13-cert4
Patches
SVN URL Revision
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at http://downloads.digium.com/pub/security/.pdf
and http://downloads.digium.com/pub/security/.html
Revision History
Date Editor Revisions Made
13 April 2017 George Joseph Initial report created
Asterisk Project Security Advisory -
Copyright © 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:13.14.1~dfsg-2
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <be...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 02 Jun 2017 14:40:15 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb
asterisk-voicemail asterisk-voicemail-imapstorage
asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql
asterisk-mobile asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.14.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <be...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the
Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the
Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 860902 863906
Changes:
asterisk (1:13.14.1~dfsg-2) unstable; urgency=high
.
[ Tzafrir Cohen ]
* CVE-2017-9358 / AST-2017-004: Memory exhaustion on short SCCP packets
(Closes: #863906)
* Documentation updates in debian/:
- d/p/test_framework.patch: no longer an upstream issue
- d/asterisk-config-custom:
- fix typo: buildbuildpackage (Closes: #860902)
- add comment that dpkg-buildpackage comes from dpkg-dev
Checksums-Sha1:
2cb97e35a21005c46aadf74f082024b901a2e09f 4105 asterisk_13.14.1~dfsg-2.dsc
705c46a021014102080d47e8885258d86bb178dd 130836
asterisk_13.14.1~dfsg-2.debian.tar.xz
abf15993b8a96ea804156ef8baaca18ec397e489 25969
asterisk_13.14.1~dfsg-2_amd64.buildinfo
Checksums-Sha256:
dfb49baab73fa13decf7512e739c41ef10e140468f0d321d18d3db13db14e082 4105
asterisk_13.14.1~dfsg-2.dsc
fe8b3a93852c38c585081e6e8839c569a3f001d49b49b9cdb725a4de5aa22472 130836
asterisk_13.14.1~dfsg-2.debian.tar.xz
87c4b0b85e7d991cb83f9b037d4d31600e4d6b942f4d225fafea6d8008c902b2 25969
asterisk_13.14.1~dfsg-2_amd64.buildinfo
Files:
3c3f8a701749e1cda53af49f9dbc1e2a 4105 comm optional asterisk_13.14.1~dfsg-2.dsc
e2e06a4a5dcbca5a1ea8878f882587c4 130836 comm optional
asterisk_13.14.1~dfsg-2.debian.tar.xz
c94c6a2523c6ef729ac033cb9aa63c3c 25969 comm optional
asterisk_13.14.1~dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlkxXycRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPZFQ//TQqt4j4G1ja57cACbZg7tA58OwNf8A9Q
xc1rhabruG9TwNfeRuuWKpReow2Tg4AZpIqZZ/mUn3ZWKUr/lcYwCyH+HQuYFzMw
hJuIB3n0/R5k5qtXjpFvNLOT3URsZiw5EjPR9UPRIh34pkD1QdNxQq3+q1wQ2baJ
y4ZcOTtjmEYEP1nXJt53r+qKx73Fmp+YQqsgDzROiwZPrwJN/uM3c9j6Z6aWPQ/c
lRyeAXcieCiIdF1VOyMP/m3UAEPRmbbgFQKlIgZWk3rF6DaWB3BOmwX7iqZdq1sL
7iFB03RkEmmD7rTu1dps3y2Rec/+g4433kwEPHNvan47+l+LwN5r83z4YfMVT9lv
dj0clNUY4OoJeJgz6KnNO5+JJxlS9kPfvhXLTZtO7rLe5VMYtjchuPMR8j/lgXY3
9w/KzUQBY8onC4qIW7mDzWoaHFaB70xh6tN/lvH9aPiV3aLBfnnQI2QVREEcuBBx
+B8liF818XYKuwZ5CTmZ78HYXsv0WHg1euz/f4+KdMDnvZXtDh11w6U9wqFtV+jI
7RdCYR7dfLi1dJQWCmPoJI6rpDKAe8ZRgdKIP1RvjNtUS3i0l994WHOvbMm7megx
wlLl+L/HH5LOzyU/o3br9fRdmocACXrFMUtRfct4Wz6IVQDFHgB4bJ/x3phv918J
VdMnTSaWkXQ=
=njyn
-----END PGP SIGNATURE-----
--- End Message ---
