Your message dated Sat, 02 Sep 2017 21:04:16 +0000
with message-id <e1dofas-0003ou...@fasolo.debian.org>
and subject line Bug#873907: fixed in asterisk 1:13.17.1~dfsg-1
has caused the Debian Bug report #873907,
regarding asterisk: CVE-2017-14099: AST-2017-005: Media takeover in RTP stack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
873907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873907
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:asterisk
Severity: important
Tags: security
Asterisk Project Security Advisory - AST-2017-005
Product Asterisk
Summary Media takeover in RTP stack
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On May 17, 2017
Reported By Klaus-Peter Junghanns
Posted On
Last Updated On August 30, 2017
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name
Description The "strictrtp" option in rtp.conf enables a feature of the
RTP stack that learns the source address of media for a
session and drops any packets that do not originate from
the expected address. This option is enabled by default in
Asterisk 11 and above.
The "nat" and "rtp_symmetric" options for chan_sip and
chan_pjsip respectively enable symmetric RTP support in the
RTP stack. This uses the source address of incoming media
as the target address of any sent media. This option is not
enabled by default but is commonly enabled to handle
devices behind NAT.
A change was made to the strict RTP support in the RTP
stack to better tolerate late media when a reinvite occurs.
When combined with the symmetric RTP support this
introduced an avenue where media could be hijacked. Instead
of only learning a new address when expected the new code
allowed a new source address to be learned at all times.
If a flood of RTP traffic was received the strict RTP
support would allow the new address to provide media and
with symmetric RTP enabled outgoing traffic would be sent
to this new address, allowing the media to be hijacked.
Provided the attacker continued to send traffic they would
continue to receive traffic as well.
Resolution The RTP stack will now only learn a new source address if it
has been told to expect the address to change. The RTCP
support has now also been updated to drop RTCP reports that
are not regarding the RTP session currently in progress. The
strict RTP learning progress has also been improved to guard
against a flood of RTP packets attempting to take over the
media stream.
Affected Versions
Product Release
Series
Asterisk Open Source 11.x 11.4.0
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Certified Asterisk 11.6 All Releases
Certified Asterisk 13.13 All Releases
Corrected In
Product Release
Asterisk Open Source 11.25.2, 13.17.1, 14.6.1
Certified Asterisk 11.6-cert17, 13.13-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2017-005-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2017-005-13.diff Asterisk
13
http://downloads.asterisk.org/pub/security/AST-2017-005-14.diff Asterisk
14
http://downloads.asterisk.org/pub/security/AST-2017-005-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2017-005-13.13.diff Certified
Asterisk
13.13
Links https://issues.asterisk.org/jira/browse/ASTERISK-27013
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2017-005.pdf and
http://downloads.digium.com/pub/security/AST-2017-005.html
Revision History
Date Editor Revisions Made
May 30, 2017 Joshua Colp Initial Revision
Asterisk Project Security Advisory - AST-2017-005
Copyright (c) 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:13.17.1~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <be...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Sep 2017 22:34:09 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb
asterisk-voicemail asterisk-voicemail-imapstorage
asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql
asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.17.1~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <be...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-tests - internal test modules of the Asterisk PBX
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the
Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the
Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 873907 873908 873909
Changes:
asterisk (1:13.17.1~dfsg-1) unstable; urgency=high
.
* New upstream version 13.17.1, fixing three CVEs
- CVE-2017-14099 / AST-2017-005
Media takeover in RTP stack ("RTP bleed") (Closes: #873907)
- CVE-2017-14100 / AST-2017-006
Shell access command injection in app_minivm (Closes: #873908)
- CVE-2017-14098 / AST-2017-007
Remote Crash Vulerability in res_pjsip (Closes: #873909)
Checksums-Sha1:
585568086378cc058e946cb922a082a2664f2873 4268 asterisk_13.17.1~dfsg-1.dsc
adb89838e59308fe05bc60693bf01df6b8cfb2f4 6227588
asterisk_13.17.1~dfsg.orig.tar.xz
4401b3804b6f69ef0686266b9b452e1649baabef 168376
asterisk_13.17.1~dfsg-1.debian.tar.xz
4b26a0714b0c6f46df9910656391e2a00d0faab9 27034
asterisk_13.17.1~dfsg-1_amd64.buildinfo
Checksums-Sha256:
754e2320c060563da2ae69f5948aaff41abca712d94759fd7f40cf3e3de01144 4268
asterisk_13.17.1~dfsg-1.dsc
c508880b2ee165016074d75347aa2df00fc88a730db7dc1a8cf1b895e9e8a3ad 6227588
asterisk_13.17.1~dfsg.orig.tar.xz
9722c7c60709d1ddc26d866d3283213f6797b6f7ab9a180dc51fd7c7219af6ec 168376
asterisk_13.17.1~dfsg-1.debian.tar.xz
05f498e47a90b1fa6f81964062c76511d37d333152620e16e5f42ca60bf8e23c 27034
asterisk_13.17.1~dfsg-1_amd64.buildinfo
Files:
869d4a0e0654952f2555b89be8d05062 4268 comm optional asterisk_13.17.1~dfsg-1.dsc
a1a52404f8938ede9204750c6f5b69db 6227588 comm optional
asterisk_13.17.1~dfsg.orig.tar.xz
e97d792679034e7a0a29ffb7538a192d 168376 comm optional
asterisk_13.17.1~dfsg-1.debian.tar.xz
3c9577153eb8824c2ee7fea8df17bade 27034 comm optional
asterisk_13.17.1~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmrF64RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJP4/w/+OZb8R2GFu1pkJQ5ZqMrtHx+IZNNM8wTL
6sb3N1b+tAEe9Nb7pARwb100+wyib3S0uIo78kad3VLvXaDGpMjmJVsSptRd0Qy/
M9PNW7vojmXdJTRc5jxbiwhWpKpX1kaq1VIWXhJo/mxVEhaAt15pzbt47heEqyo2
BmzOtGHONyGQG+m9tO4IPIWcpDsgXFc8i5+loROw/WyGxI2k57pJh3jDhPsOMLoN
PySDya/Peqi+q60Iy3IHeXDvt39vgTEMUo48fG1PC2Sy6zntN0IIYl/oKmlRZ453
tNQzGYZbxX08fqMMQf7mtvpPcGmYZNdZD5ogthA0uW1MKoQM5h6S+ah/pz52HrDn
fSwlwXtRvdYwQkGu8jBv2crerhly0C5pyiK7+CDYoTdRittTH5O1uQP6c5H0hV5C
GVKMbG877rbPrI2N1sFXDggM9T1zJ/c73HqC6ecB9DG+jcxdidju9lV4sYJWw9cM
b6j9AOwXW6uWZhXZJP+1jxsib0f1acNT0NyHjHASXlbv5lZPVwtpIkg7Ed89fH/k
V0SSMrpF2ZA49aUdcff7BcesDqwYcDCJBDaEewzFJYzRleUtMQmImJKXd4f1c5uA
O0zCPja7RPRQHpVQOxqUxZfUqDCJR6oWPhLuMJBMsJH3vKHoqnfpDjmxxMR8izEd
YN2nioAGtFQ=
=5py3
-----END PGP SIGNATURE-----
--- End Message ---
