Your message dated Sat, 30 Jul 2022 09:04:14 +0000 with message-id <e1ohiom-0008zw...@fasolo.debian.org> and subject line Bug#1014976: fixed in asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 has caused the Debian Bug report #1014976, regarding asterisk: CVE-2022-24764 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1014976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014976 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: asterisk X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for asterisk. CVE-2022-24764[0]: | PJSIP is a free and open source multimedia communication library | written in C. Versions 2.12 and prior contain a stack buffer overflow | vulnerability that affects PJSUA2 users or users that call the API | `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do | not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or | `pjmedia_sdp_media_print()` should not be affected. A patch is | available on the `master` branch of the `pjsip/pjproject` GitHub | repository. There are currently no known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 CVE-2022-24763[1]: | PJSIP is a free and open source multimedia communication library | written in the C language. Versions 2.12 and prior contain a denial- | of-service vulnerability that affects PJSIP users that consume PJSIP's | XML parsing in their apps. Users are advised to update. There are no | known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4 https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21 CVE-2022-24786[2]: | PJSIP is a free and open source multimedia communication library | written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP | feedback RPSI (Reference Picture Selection Indication) packet, but any | app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. | A patch is available in the `master` branch of the `pjsip/pjproject` | GitHub repository. There are currently no known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508 CVE-2022-24792[3]: | PJSIP is a free and open source multimedia communication library | written in C. A denial-of-service vulnerability affects applications | on a 32-bit systems that use PJSIP versions 2.12 and prior to | play/read invalid WAV files. The vulnerability occurs when reading WAV | file data chunks with length greater than 31-bit integers. The | vulnerability does not affect 64-bit apps and should not affect apps | that only plays trusted WAV files. A patch is available on the | `master` branch of the `pjsip/project` GitHub repository. As a | workaround, apps can reject a WAV file received from an unknown source | or validate the file first. https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799 https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213 CVE-2022-24793[4]: | PJSIP is a free and open source multimedia communication library | written in C. A buffer overflow vulnerability in versions 2.12 and | prior affects applications that uses PJSIP DNS resolution. It doesn't | affect PJSIP users who utilize an external resolver. A patch is | available in the `master` branch of the `pjsip/pjproject` GitHub | repository. A workaround is to disable DNS resolution in PJSIP config | (by setting `nameserver_count` to zero) or use an external resolver | instead. https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24764 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764 [1] https://security-tracker.debian.org/tracker/CVE-2022-24763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763 [2] https://security-tracker.debian.org/tracker/CVE-2022-24786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24786 [3] https://security-tracker.debian.org/tracker/CVE-2022-24792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24792 [4] https://security-tracker.debian.org/tracker/CVE-2022-24793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 Done: Jonas Smedegaard <d...@jones.dk> We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1014...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <d...@jones.dk> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 30 Jul 2022 10:16:47 +0200 Source: asterisk Architecture: source Version: 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Jonas Smedegaard <d...@jones.dk> Closes: 1014976 Changes: asterisk (1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1) unstable; urgency=medium . [ upstream ] * new pre-release; embeds an updated PJProject, fixing multiple security issues; CVE-2022-24764 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793; closes: bug#1014976 . [ Jonas Smedegaard ] * update watch file: + fixate component pjproject at upstream release 2.12.1 + track pre-releases * update copyright info: + update primary Source URI + update coverage Checksums-Sha1: db55a27c8e446ed8cffed8b735aa1d08020b4653 5438 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1.dsc 450b21cbdd4f92f333b02d202e445b443acb0b2a 11268 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xamr.tar.xz 96bf3ae2008bc5a46c9f894651110db771dc91a3 21936 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xmp3.tar.xz efd36da4be8883797c8ccb0ca1a41b933c1f19c9 22548 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xopus.tar.xz 2214cb9006f8776f91f6aa27a2681c169df29331 5801452 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xpjproject.tar.xz 0698c1c739fb632fa1851bf6f1bff9bdb0f12b6b 7318944 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig.tar.xz 80b530af28fdaf8dd1f0f06958fd18d221152f88 155772 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1.debian.tar.xz 1bb91d8be1f78bbf7ecaea41b132d18ab1ecbdef 25684 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1_amd64.buildinfo Checksums-Sha256: fa702e81e9760d065f556d45035e159f69ea6ce6e2b01f216df7dce9fcf5b99b 5438 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1.dsc ba0e753d9e008ad4d55c112dd0dd628fa3ce57e85f7ca5ff117fdc47e90021d8 11268 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xamr.tar.xz 7392b3cc01080322460f028363dba477df3ac25fe9dc25d3aaae20a2d6177e95 21936 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xmp3.tar.xz 1dc2659ade0eb9207a5d22df188690d1528e74374f1e0dbef4a74d824c90c9cf 22548 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xopus.tar.xz a1c25ddb396e0cd76493568785a8c77586449736bb79bf030a4a9d07d8777ff4 5801452 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xpjproject.tar.xz 91bd522acdded2339235cbae46e96a02840984a7dafbc82b87c1c32698e4290d 7318944 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig.tar.xz 33f1685d0a10bcb011da696f4392baa56effe4afe6a0dacfaa81a669e861e83c 155772 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1.debian.tar.xz aee4cb051bcdfc45e00c419918d636d6548a4e174979d4baf73f7f6e4b9ad4a8 25684 asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1_amd64.buildinfo Files: 248399a425252b34954bd62f73d288b0 5438 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1.dsc 2f288da7d163b555955e1351203cb972 11268 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xamr.tar.xz e36d4f45ad47523be5f21a88e8b6c0d8 21936 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xmp3.tar.xz a28346e11689859feea371218e977f53 22548 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xopus.tar.xz a86172bf261202efc025951768f25357 5801452 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig-Xpjproject.tar.xz 921465d5ddb33d3c176a8aa90fd97b5f 7318944 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414.orig.tar.xz 714e5aafcbbeac8bcbba0d25be0009b2 155772 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1.debian.tar.xz 90a66be69b75a25beeb05d785cc95a87 25684 comm optional asterisk_18.14.0~~rc1~dfsg+~cs6.12.40431414-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmLk8VwACgkQLHwxRsGg ASHvqQ/8CqctORUgLfvHVF8YsaztqkFyBx72J73R7tpc9i4JVujqFbRbqdnQkxHD +cL54hQoX83qhWkpeZKUYKrD3sdDexdrV4jIHRi4CNtBuvGjf3f0JKa2tXrhhcCh BlG5XNHVZd373svLrB47jnv7tSLnZCpaLFeZnVEADfxH8NoPpkIMZCBbps0t81VY orA72zkBN0Kt8ARGDHwmaUoY6eIYqbI4C3rCWS5hDsM8xpaiSKnzIzcUG6IAe20p VAgyOIQbqYZWPMlhVH8vM+0QuahC030DIw6Ce4hLNoTB0S1/+UST4CeG1asXHtpN yBTPX9oZV3vjcfgSZA+R5BxEyaRxIZ7ljd3Pfa1iFAkB0BKn5Q7FiwnngHzJS5Ku 863Y8DnTj4C6alXE/fnSb3WkGkpiD4pX4TQNmPPi+Zgv3aTocgaBqzcmoE9+olXf gWeu5JDQqcbc2A9/T71TGuSZkU+QUtjiaGWogs6hAT8ZBSy9eZJt+e+iznhQyBsw Va+UIYRmOJUhNdj3v1bRDVd0O3UzBQqDAd+y1WHFr9XGlLz8CO5ggci0Y3TJgffh NUMMS/6viZ/s5fwxJrDN1joaA5aK7lzzQaXnzbLBqmr2adlmVj9axzOuVYNzN6ao 23GrnxU8r7IJQLQLj8o4n7u/igX3tB1c3dDQQ09dgcAk+7dCytE= =bwHY -----END PGP SIGNATURE-----
--- End Message ---
