Your message dated Sun, 08 Oct 2017 10:47:28 +0000
with message-id <e1e197i-0007zc...@fasolo.debian.org>
and subject line Bug#873907: fixed in asterisk 1:11.13.1~dfsg-2+deb8u3
has caused the Debian Bug report #873907,
regarding asterisk: CVE-2017-14099: AST-2017-005: Media takeover in RTP stack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
873907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873907
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:asterisk
Severity: important
Tags: security
Asterisk Project Security Advisory - AST-2017-005
Product Asterisk
Summary Media takeover in RTP stack
Nature of Advisory Unauthorized data disclosure
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On May 17, 2017
Reported By Klaus-Peter Junghanns
Posted On
Last Updated On August 30, 2017
Advisory Contact Joshua Colp <jcolp AT digium DOT com>
CVE Name
Description The "strictrtp" option in rtp.conf enables a feature of the
RTP stack that learns the source address of media for a
session and drops any packets that do not originate from
the expected address. This option is enabled by default in
Asterisk 11 and above.
The "nat" and "rtp_symmetric" options for chan_sip and
chan_pjsip respectively enable symmetric RTP support in the
RTP stack. This uses the source address of incoming media
as the target address of any sent media. This option is not
enabled by default but is commonly enabled to handle
devices behind NAT.
A change was made to the strict RTP support in the RTP
stack to better tolerate late media when a reinvite occurs.
When combined with the symmetric RTP support this
introduced an avenue where media could be hijacked. Instead
of only learning a new address when expected the new code
allowed a new source address to be learned at all times.
If a flood of RTP traffic was received the strict RTP
support would allow the new address to provide media and
with symmetric RTP enabled outgoing traffic would be sent
to this new address, allowing the media to be hijacked.
Provided the attacker continued to send traffic they would
continue to receive traffic as well.
Resolution The RTP stack will now only learn a new source address if it
has been told to expect the address to change. The RTCP
support has now also been updated to drop RTCP reports that
are not regarding the RTP session currently in progress. The
strict RTP learning progress has also been improved to guard
against a flood of RTP packets attempting to take over the
media stream.
Affected Versions
Product Release
Series
Asterisk Open Source 11.x 11.4.0
Asterisk Open Source 13.x All Releases
Asterisk Open Source 14.x All Releases
Certified Asterisk 11.6 All Releases
Certified Asterisk 13.13 All Releases
Corrected In
Product Release
Asterisk Open Source 11.25.2, 13.17.1, 14.6.1
Certified Asterisk 11.6-cert17, 13.13-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2017-005-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2017-005-13.diff Asterisk
13
http://downloads.asterisk.org/pub/security/AST-2017-005-14.diff Asterisk
14
http://downloads.asterisk.org/pub/security/AST-2017-005-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2017-005-13.13.diff Certified
Asterisk
13.13
Links https://issues.asterisk.org/jira/browse/ASTERISK-27013
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2017-005.pdf and
http://downloads.digium.com/pub/security/AST-2017-005.html
Revision History
Date Editor Revisions Made
May 30, 2017 Joshua Colp Initial Revision
Asterisk Project Security Advisory - AST-2017-005
Copyright (c) 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:11.13.1~dfsg-2+deb8u3
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <be...@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Sep 2017 22:46:15 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb
asterisk-voicemail asterisk-voicemail-imapstorage
asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql
asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source amd64 all
Version: 1:11.13.1~dfsg-2+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <be...@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the
Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the
Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 873907 873908
Changes:
asterisk (1:11.13.1~dfsg-2+deb8u3) jessie-security; urgency=high
.
* CVE-2017-14099 / AST-2017-005
Media takeover in RTP stack ("RTP bleed") (Closes: #873907)
* CVE-2017-14100 / AST-2017-006
Shell access command injection in app_minivm (Closes: #873908)
Checksums-Sha1:
ba66fde1252168c5a31c05912ee2f14082d6e074 4050
asterisk_11.13.1~dfsg-2+deb8u3.dsc
a1abcdd064f8847a7006c71ddff6b7698379f9b5 114412
asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz
178ffd3d6406f39f4d2fd87adb35fbc6c6106e30 1665916
asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb
f1499ddfbf60e8ce1c7304ea73225bf48d8930ba 2128800
asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb
803499e67f82ffa3e4ad93391708e2ab64e2245d 704826
asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb
10de9d3b38ffe9f53f0d04e027f9c97bbb2bd762 508386
asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb
a8b452f46c6ab000e97e31219de44cc37db59f43 564176
asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb
829e738bed45429bb863fa486f96d2b57833d5a5 580148
asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
40653d800ff1ead26e6b28189f4365a758132c2b 570340
asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
675a1bae4d409596d62d5047c78b618464f15d05 819306
asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb
ec8f0ba389108f9831739f040eb78645f71f78ee 504114
asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb
92c7e907f14258a0ee1b5a1b53c9c27ec385fff6 522080
asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb
b9c60a4f3e2a19edf90bb6000ea826ad2416b9aa 514292
asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb
6116e68542cd8743afe0d94a1ae9ba853f56ca4a 2360376
asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb
f3cc087914d0c8bf66421f7863db1db95e067fce 792286
asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb
90f97fb45da6b1a7188ee71d1d8b04e9c6fa4228 6461798
asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb
92e7d3180481d3f5198aa936ce6315b8ed5afac4 840252
asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb
Checksums-Sha256:
2c2e290dc05235c8b46a02328e70dea4a557ef849e5adcd98f98cb6d0c1f1ffb 4050
asterisk_11.13.1~dfsg-2+deb8u3.dsc
49403c25c608ff4d7e7b4f641fe0a4589b6e9522e5c2652a02c36c543b6f3091 114412
asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz
5b1773ee280034d03aae8e684449b297715c8e474b162f2bc574a54858335f1b 1665916
asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb
6c78efcea97933669c6ebac7527e6f65531c5f56556c5fc6f4279f1b0e56daf8 2128800
asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb
ba30b6f37fd8041b02ff904c61901a65ca3c1ff67704a68096bf35091f8d6432 704826
asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb
070b7366bc3a98faf63cb03ec7737ba9437ab94dc26efe53cdc3401de5965ac4 508386
asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb
95b1835e2232e412734b1776e71d4f3f6594a101809a61266a26b7ba5fe612e4 564176
asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb
6fbfa42e39edbe41536be98689cce514b6afb56611787850749bf6a19ffc0005 580148
asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
2ab8428024067d4d34b28a810c8c2d7734d9e786eddf165c6257ecc8d730f5a2 570340
asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
90094e7c34f8062cf022f03e23c58ce03a8b1018621073b8ae4fdfb2f766f39f 819306
asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb
60afbd04e5900f436c2235e0806bbf058ef2eda1239e0a7c9f50a78093fd9da6 504114
asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb
da602c6a6bbcc7df0b91f7a0b1acd9a26975f0c0c21c2f9ef2afbb1274cf32d3 522080
asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb
386f6686140c8c246d96acf63e0cfd76daadbf124d3a36b5e9291d6c96db076e 514292
asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb
6be3bbba01b7049d405ae55440ff45787f51466754bf7678dfce823bf52323c6 2360376
asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb
6a96546a332dfead61368a29af4b108ad63fef229ee75b668cfb26ea734cf968 792286
asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb
5b83dfcd873725da2ee6e735fe005a8a34697c4703092a1cdfc1fdf688f1915d 6461798
asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb
d0a40c17be39367972127dd300330a50bf4437265e593abac330384842fc5605 840252
asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb
Files:
e22715099f00d6a5420f488eb4bc5fb8 4050 comm optional
asterisk_11.13.1~dfsg-2+deb8u3.dsc
fe166d63e55573900341a0b3aba17022 114412 comm optional
asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz
576d24d3bb6b6357704a6d719a094773 1665916 comm optional
asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb
d5999086336713fc9075d0782c7f4581 2128800 libs optional
asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb
ecfac416f0315d03a64c8189f97470e6 704826 comm optional
asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb
66cf9f220c089b4200c5b594824c47b9 508386 comm optional
asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb
be8f435b12bed682d4bb6ee309790de5 564176 comm optional
asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb
39f9af8eed9e40355e97a01d74cb94bd 580148 comm optional
asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
e9e1c08b58e2e1cc036d785f013f5a2f 570340 comm optional
asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
0816d2104673daf0bdab407097f8259b 819306 comm optional
asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb
450b3e8719597049900c4eb9e1bb6842 504114 comm optional
asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb
e52ccfe2e7584e9b404a92ecbe4a2508 522080 comm optional
asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb
5f56127d4801ee8a8ee79d951766c839 514292 comm optional
asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb
deb4b6c5cd4ed9e1f3bf8da85f078e4d 2360376 doc extra
asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb
c1c4e39ea08493f487d418379789a6ef 792286 devel extra
asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb
065b26d3d3a3f416613219bea62cfd4a 6461798 debug extra
asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb
d04d5353a0aabf8fe40157636a02eb4c 840252 comm optional
asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmtCCIRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNRUg//UVxIa3GJ9QbooyGTxtfr+97U3oPh3+LF
FFomgiVY8xaHuSJqNa3vnOWOswaDf8nDuAglJgV2VNxItOIBevuWGbHB/rSdM+P6
89PkGiQ46ynLdpicSI82YfkcCtM3M3o1e5yrpy+wDLuUjLSX2LHHp6D62GgUSTKr
Snv1JaE7KcjUAsahueDzv0ddu+RcQdeQyGXmPHFZ7jyjZk9wsqJChjmK0DMFvpjD
pNM0MQ23yw0fBsSWKHEPNPhp/UjD5edfet8853i95D84llKeKOw5CDcnLf/Kaicb
s6nsm0bC1mrnFWkYG8UQIpZUflF+RtO9w+ZS1zjApSBDGEe1WgziH3gfS9DkB4yX
lMS7Qw8lwJbaf4fvLhq76RlAvEJ3Uq1t1qunqeetRE7t8LjXR5Tp0E3/fr+2igbY
xdgDaMS+b6se8ePBqQyhbCTSrazGv0dArgK6JZjE7JWUL8pnKEd5XNxs5q2pBtj6
UOurhTzBYhijF6ha+rImIHuRMLysOf6QCSgNsQ0/DVcFW4SbzoFCsgrk7aIeNUWp
vVfiEU434PDTr7T57OE2fyYHTiwIrqmcbgUGZazm33kYFf5JUhPG0uJ/nZUVxi0y
nAykXdmLutNy5mVlP89kZPHUcl4dDR8pQzvsc1PH0u6tAavYuPeJO3oe9J3f+x+6
+5zOC/CCp+M=
=H+qx
-----END PGP SIGNATURE-----
--- End Message ---
