Your message dated Tue, 23 Feb 2021 08:33:33 +0000 with message-id <e1let8p-000axu...@fasolo.debian.org> and subject line Bug#983159: fixed in asterisk 1:16.16.1~dfsg-1 has caused the Debian Bug report #983159, regarding asterisk: CVE-2021-26906 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983159 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: asterisk Version: 1:16.15.1~dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for asterisk, filling as RC but this might not be warranted, if you feel otherwise please downgrade. I made it such because of the unauthenticated vector. CVE-2021-26906[0]: | An issue was discovered in res_pjsip_session.c in Digium Asterisk | through 13.38.1; 14.x, 15.x, and 16.x through 16.16.0; 17.x through | 17.9.1; and 18.x through 18.2.0, and Certified Asterisk through | 16.8-cert5. An SDP negotiation vulnerability in PJSIP allows a remote | server to potentially crash Asterisk by sending specific SIP responses | that cause an SDP negotiation failure. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26906 [1] https://downloads.asterisk.org/pub/security/AST-2021-005.html Please adjust the affected versions in the BTS as needed. Regards, salvatore
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:16.16.1~dfsg-1 Done: Bernhard Schmidt <be...@debian.org> We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 983...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <be...@debian.org> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 22 Feb 2021 21:45:24 +0100 Source: asterisk Architecture: source Version: 1:16.16.1~dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Bernhard Schmidt <be...@debian.org> Closes: 983157 983158 983159 Changes: asterisk (1:16.16.1~dfsg-1) unstable; urgency=medium . * New minor upstream version 16.16.1~dfsg - CVE-2020-35776 / AST-2021-001 (Closes: #983158) Remote crash in res_pjsip_diversion - CVE-2021-26717 / AST-2021-002 (Closes: #983157) Remote crash possible when negotiating T.38 - CVE-2021-26712 / AST-2021-003 Remote attacker could prematurely tear down SRTP calls - CVE-2021-26713 / AST-2021-004 An unsuspecting WebRTC user could crash Asterisk with multiple hold/unhold requests - CVE-2021-26906 / AST-2021-005 (Closes: #983159) Remote Crash Vulnerability in PJSIP channel driver Checksums-Sha1: 5c73481bd88fe4be6792a41fe2f23b3b5ffb49c6 4201 asterisk_16.16.1~dfsg-1.dsc f0b46a4eabe561df5c690f73862746fa01d67739 7055724 asterisk_16.16.1~dfsg.orig.tar.xz 6e31210b806d7027ef475eef0d6151773c0dad1a 5949036 asterisk_16.16.1~dfsg-1.debian.tar.xz 245f453160ced40a7c25b06ecde05eee12f35c3a 27221 asterisk_16.16.1~dfsg-1_amd64.buildinfo Checksums-Sha256: c967376bac906d3e82eea5435b372cdf858aa950488f3d82302dd5bac1ee864c 4201 asterisk_16.16.1~dfsg-1.dsc 42268f21025a0fab9288f616951609f8b10118fb63e35fae80e7d110eb5dda6e 7055724 asterisk_16.16.1~dfsg.orig.tar.xz 2c421974dbad0178b8af0ef3919b151c8317d1a841980a3ba4ec3be3c41d5a85 5949036 asterisk_16.16.1~dfsg-1.debian.tar.xz 5c3acfc60c27c44a0f5e4580f3ab9cb15822404a0f0958dc294a57179b6bca38 27221 asterisk_16.16.1~dfsg-1_amd64.buildinfo Files: cdd946324c7bfb50a0e2cb38fbc538f4 4201 comm optional asterisk_16.16.1~dfsg-1.dsc ad421903a111f0a43e25d64b7aadc2e9 7055724 comm optional asterisk_16.16.1~dfsg.orig.tar.xz 998121308e544f279b505428e4e41b48 5949036 comm optional asterisk_16.16.1~dfsg-1.debian.tar.xz 463b15a8fafdd15741f9864e9e4c847a 27221 comm optional asterisk_16.16.1~dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmA0ujcRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJOPEQ//aJk26JmHH0FuB6GIvdAz7vy2hm5YDRii 9PIBdmJMkWoF65zzut9h5qm5xf3QN1cjrWN3iztEoG/cQraSOavPKG2OzJs68jVP Zf+GZ8+Aus6JNHhpkuap/Orqw7aq0bMYnoRd1mmpryAaKAIioi3MIbjCQ0oXmAvW LM0YdZYGLQ7bz2EGOVD7rTjfZpkyh5fNmRonemMSUY0S3bGFTMjke/8v+vgWCqgc BiP9jbrBUO5F98g7LLBZjl+vlJHd/CILxoOXoliDYr0vSePsI4gkbw5ySjNcuelh IJCY7EgUirw55eo/LIg9cD3BPN8B68XetocFu50n9e7IbJaPRG2imBUF+vwiLZii 6JwkYjjl2oHMc1dzM0ezdNfpUnWGwt957AL3wuNNHhwgnHuaik2ux0gwJw+myuXp 1vqk123UehucPzr5tXtBO9hTFx+rl+XvznMPg6z0cSQw+BTiHGEkumVAo4IyXacE sanU3hoWHZNqQ+Gbay234TcyhemOjwf4q1aTOeYEHeBMt1IYWAtd0Qru9s0RaKVi 3lTbz7xfDWlIBg+1jx0aFwullftV9bgh71CMu360Uv9hh7rd7ZZouf7CXN7yUnqw +3UP6ynn8onb4aRFDY4AeKlpBJMzaYSearI5Paup9v349sEDcS4BRMSNSdA8syNA jIP+tgnOBKQ= =B6us -----END PGP SIGNATURE-----
--- End Message ---
