Your message dated Sat, 20 Oct 2018 09:47:08 +0000 with message-id <e1gdnqe-000fb3...@fasolo.debian.org> and subject line Bug#909554: fixed in asterisk 1:13.14.1~dfsg-2+deb9u4 has caused the Debian Bug report #909554, regarding asterisk: CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 909554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909554 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: asterisk Version: 1:13.22.0~dfsg-2 Severity: grave Tags: security upstream Hi, The following vulnerability was published for asterisk. CVE-2018-17281[0]: | There is a stack consumption vulnerability in the | res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x | through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through | 13.21-cert2. It allows an attacker to crash Asterisk via a specially | crafted HTTP request to upgrade the connection to a websocket. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17281 [1] http://downloads.asterisk.org/pub/security/AST-2018-009.html [2] https://issues.asterisk.org/jira/browse/ASTERISK-28013 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:13.14.1~dfsg-2+deb9u4 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 909...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <be...@debian.org> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 30 Sep 2018 23:24:10 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config Architecture: source Version: 1:13.14.1~dfsg-2+deb9u4 Distribution: stretch-security Urgency: medium Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Bernhard Schmidt <be...@debian.org> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 891227 891228 902954 909554 Changes: asterisk (1:13.14.1~dfsg-2+deb9u4) stretch-security; urgency=medium . * AST-2018-004 / CVE-2018-7284: Crash when receiving SUBSCRIBE request (Closes: #891227) * AST-2018-005 / CVE-2018-7286: Crash when large numbers of TCP connections are closed suddenly (Closes: #891228) * AST-2018-008 / CVE-2018-12227: PJSIP endpoint presence disclosure when using ACL (Closes: #902954) * AST-2018-009 / CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade (Closes: #909554) Checksums-Sha1: 9a3d0f011044550d59f6bf8e2923c431397c4e2e 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc d5d169d9367ec8d67cc3aa9f07fed12d0400c050 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz 64bbea1c48356a6dd0c687a3b1fcc939388260af 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo Checksums-Sha256: fae9d4d830d8c45e6c294a27db8c8133bb84671e60a29876416abce9cabdc878 4133 asterisk_13.14.1~dfsg-2+deb9u4.dsc 4a2bbbcd52004c4b3a5a829335737871f0f316cc5998f303b74243858c252255 154060 asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz ca23a882cdb0309c2f412598a28cddb950cdecae8acf80bb7d311b4332ac9301 27619 asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo Files: 8a617142c87fedca32b83bee1dab0c83 4133 comm optional asterisk_13.14.1~dfsg-2+deb9u4.dsc e6fe8549c46eefceb013bd4ff2fba769 154060 comm optional asterisk_13.14.1~dfsg-2+deb9u4.debian.tar.xz b7e962fcb77a55234f6e21e240ede4b0 27619 comm optional asterisk_13.14.1~dfsg-2+deb9u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlvDtFkRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJOXlA//Wa/OyyBpgrTSLo0jtgPuvvkzQaUjai8Q m00ggHJWacLlNj5fFHzUthWuoC26Sy31QziXfBoUBiJ/T8IMOruNh1cs5F0Uw/qA 14PO9irEivgq1aGzPMqJLMXiZofpJU3dz4Jm9hsGCZwtY9SX4k9UroMZYPxaUbIm wCJ7c+ALOjv1U+aTDTWDQg8h1t1G6MdyBpaughVkuddfx0Sgxf17DNrbq1+OKpTC P8Z7PAijrWZPuxMyvEkbF5UgbU4B3Kw28kymSMdJhMRHNEuAyE4EmDlnifSwo5a3 Z3O+lW8eN4Y+HhuwPQW+ILdzG/wM8LwBvtMxoF7dSxnh2kg7gWPO9LaQsmuhZoyn bVrMmRG4M1hryu/1fUh25wH+xuY3ajYJ0G8LXhenyAILyazmI8PKwj7ZGr0JZCl7 bTKLU1rZ/DTuebMG3J6nw6+uykAezWClg/KI5jaZEchxv9eMg2HEigG7wGbDydwh YmkD7h6NmpM2tw+7+DOoCJvtZWgNAY3vc+9dApGGDJeUVfDV1KfQPF7aSMCHKhF7 2WL9tpvVStVAvKUQUHKyz517eHPVE4GeejLVnwdB9kF2C0koEzfUbY5cFO1wW8Q0 Dt2/LKqa1W452g1iJadnDmIRx2Ry0rWXHQOOk74x3us+w6HLgp5AeAHbwbKecADa UTCgAhtIYE8= =m3FA -----END PGP SIGNATURE-----
--- End Message ---
