Your message dated Tue, 19 Dec 2023 17:29:01 +0100
with message-id <170300334140.5338.8172443677664721...@auryn.jones.dk>
and subject line Re: Bug#1032092: asterisk: CVE-2022-23537 CVE-2022-23547
CVE-2022-39269
has caused the Debian Bug report #1032092,
regarding asterisk: CVE-2022-23537 CVE-2022-23547 CVE-2022-39269
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1032092: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032092
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: asterisk
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for asterisk.
CVE-2022-23537[0]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when
| parsing a specially crafted STUN message with unknown attribute. The
| vulnerability affects applications that uses STUN including PJNATH and
| PJSUA-LIB. The patch is available as a commit in the master branch
| (2.13.1).
https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1
CVE-2022-23547[1]:
| PJSIP is a free and open source multimedia communication library
| written in C language implementing standard based protocols such as
| SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to
| GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain
| STUN message. The vulnerability affects applications that uses STUN
| including PJNATH and PJSUA-LIB. The patch is available as commit in
| the master branch.
https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1
https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36
CVE-2022-39269[2]:
| PJSIP is a free and open source multimedia communication library
| written in C. When processing certain packets, PJSIP may incorrectly
| switch from using SRTP media transport to using basic RTP upon SRTP
| restart, causing the media to be sent insecurely. The vulnerability
| impacts all PJSIP users that use SRTP. The patch is available as
| commit d2acb9a in the master branch of the project and will be
| included in version 2.13. Users are advised to manually patch or to
| upgrade. There are no known workarounds for this vulnerability.
https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg
https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-23537
https://www.cve.org/CVERecord?id=CVE-2022-23537
[1] https://security-tracker.debian.org/tracker/CVE-2022-23547
https://www.cve.org/CVERecord?id=CVE-2022-23547
[2] https://security-tracker.debian.org/tracker/CVE-2022-39269
https://www.cve.org/CVERecord?id=CVE-2022-39269
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 20.4.0~dfsg+~cs6.13.40431414-1
Quoting Faidon Liambotis (2023-08-07 14:51:54)
> Dear maintainer, security team,
>
> (See #1036697 for a similar bug with an almost equivalent response)
>
> The changelog for the asterisk 1:20.4.0~dfsg+~cs6.13.40431414-1 upload
> dated 2023-08-04, currently in unstable, mentions:
> > + fixate component pjproject at upstream release 2.13.1
>
> The sources seem to indeed indicate that the version shipped for
> pjproject (aka PJSIP) is 2.13.1, which seems to have resolved the
> vulnerabilities listed below.
>
> Specifically:
>
> On Mon, Feb 27, 2023 at 08:48:36PM +0100, Moritz Mühlenhoff wrote:
> > CVE-2022-23537[0]:
> > | PJSIP is a free and open source multimedia communication library
> > | written in C language implementing standard based protocols such as
> > | SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when
> > | parsing a specially crafted STUN message with unknown attribute. The
> > | vulnerability affects applications that uses STUN including PJNATH and
> > | PJSUA-LIB. The patch is available as a commit in the master branch
> > | (2.13.1).
> >
> > https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
> > https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1
>
> Upstream says "Patched versions: 2.13.1" in the GitHub GHSA URL above.
>
> > CVE-2022-23547[1]:
> > | PJSIP is a free and open source multimedia communication library
> > | written in C language implementing standard based protocols such as
> > | SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to
> > | GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain
> > | STUN message. The vulnerability affects applications that uses STUN
> > | including PJNATH and PJSUA-LIB. The patch is available as commit in
> > | the master branch.
> >
> > https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr
> > https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36
>
> Upstream says "Patched versions: 2.13.1" in the GitHub GHSA URL above.
>
> > CVE-2022-39269[2]:
> > | PJSIP is a free and open source multimedia communication library
> > | written in C. When processing certain packets, PJSIP may incorrectly
> > | switch from using SRTP media transport to using basic RTP upon SRTP
> > | restart, causing the media to be sent insecurely. The vulnerability
> > | impacts all PJSIP users that use SRTP. The patch is available as
> > | commit d2acb9a in the master branch of the project and will be
> > | included in version 2.13. Users are advised to manually patch or to
> > | upgrade. There are no known workarounds for this vulnerability.
> >
> > https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg
> > https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc
>
> Upstream says "Patched versions: 2.13" in the GitHub GHSA URL above.
>
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> >
> > [...]
> >
> > Please adjust the affected versions in the BTS as needed.
>
> As I'm neither the maintainer nor in the security team, I'm leaving
> these actions to you. Hopefully simple enough, once you confirm my
> findings :)
I can confirm that since asterisk release 20.4.0~dfsg+~cs6.13.40431414-1
linked with an embedded copy of PJSIP 2.13.1, which according to
upstream should fix these three CVEs.
Thanks to Moritz Mühlenhoff and the security for tracking and reporting
this, and to Faidon Liambotis for investigating - and sorry for the late
response.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones
[x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
--- End Message ---
