Your message dated Tue, 19 Dec 2023 17:49:28 +0000 with message-id <e1rfedg-00emxz...@fasolo.debian.org> and subject line Bug#1059033: fixed in asterisk 1:20.5.1~dfsg+~cs6.13.40431414-1 has caused the Debian Bug report #1059033, regarding asterisk: CVE-2023-49786 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1059033: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059033 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: asterisk Version: 1:20.5.0~dfsg+~cs6.13.40431414-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for asterisk. CVE-2023-49786[0]: | Asterisk is an open source private branch exchange and telephony | toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; | as well as certified-asterisk prior to 18.9-cert6; Asterisk is | susceptible to a DoS due to a race condition in the hello handshake | phase of the DTLS protocol when handling DTLS-SRTP for media setup. | This attack can be done continuously, thus denying new DTLS-SRTP | encrypted calls during the attack. Abuse of this vulnerability may | lead to a massive Denial of Service on vulnerable Asterisk servers | for calls that rely on DTLS-SRTP. Commit | d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is | part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49786 https://www.cve.org/CVERecord?id=CVE-2023-49786 [1] https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq [2] https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:20.5.1~dfsg+~cs6.13.40431414-1 Done: Jonas Smedegaard <d...@jones.dk> We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1059...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <d...@jones.dk> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 19 Dec 2023 17:38:11 +0100 Source: asterisk Architecture: source Version: 1:20.5.1~dfsg+~cs6.13.40431414-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Jonas Smedegaard <d...@jones.dk> Closes: 1025165 1059032 1059033 Changes: asterisk (1:20.5.1~dfsg+~cs6.13.40431414-1) unstable; urgency=high . [ upstream ] * new release + fixes these upstream bugs: CVE-2023-49294 CVE-2023-49786; closes: bug#1059032, #1059033, thanks to Salvatore Bonaccorso . [ Jonas Smedegaard ] * fix enable opus codec; build-depend on libopusenc-dev; closes: bug#1025165, thanks to Paweł Bogusławski, Faidon Liambotis and Athos Ribeiro * set urgency=high due to multiple security bugfixes Checksums-Sha1: 6470cb3ac2d53fb4acb745a07a9112441a0df273 5308 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.dsc 450b21cbdd4f92f333b02d202e445b443acb0b2a 11268 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xamr.tar.xz 96bf3ae2008bc5a46c9f894651110db771dc91a3 21936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xmp3.tar.xz efd36da4be8883797c8ccb0ca1a41b933c1f19c9 22548 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xopus.tar.xz f03bb9131eb5f988152a8881a8b39299975c5296 5841276 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xpjproject.tar.xz 092f5108c568d29b6c68bd9791bf1e831df74890 7299936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig.tar.xz d091fd659096acf2a82e6bcde1a0396b8ffdbcff 134696 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.debian.tar.xz 0e8958ab6528c281d9fda05bd77c6ea0e707b323 26812 asterisk_20.5.1~dfsg+~cs6.13.40431414-1_amd64.buildinfo Checksums-Sha256: e52ed4aacc691c4058a88c378bf5a3d4e58f9be65d2e4083ca5b78cf05c4efea 5308 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.dsc ba0e753d9e008ad4d55c112dd0dd628fa3ce57e85f7ca5ff117fdc47e90021d8 11268 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xamr.tar.xz 7392b3cc01080322460f028363dba477df3ac25fe9dc25d3aaae20a2d6177e95 21936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xmp3.tar.xz 1dc2659ade0eb9207a5d22df188690d1528e74374f1e0dbef4a74d824c90c9cf 22548 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xopus.tar.xz 407791807c8d5fcceb86a131e59c03ff31fa88261ec0f190489de91ef6a40196 5841276 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xpjproject.tar.xz 676204da0f0f2ff3767ae9c9021790f6ca86b3df912edff56dd15ca6857866c1 7299936 asterisk_20.5.1~dfsg+~cs6.13.40431414.orig.tar.xz 46905399c7631c755feaefcbdf0c8d3a08f7654a3472fdefcf641835fc0e92ea 134696 asterisk_20.5.1~dfsg+~cs6.13.40431414-1.debian.tar.xz b756e165858633b74865a8f1aee438d7fd66b3af0e5e0246a93e36b15c2318e8 26812 asterisk_20.5.1~dfsg+~cs6.13.40431414-1_amd64.buildinfo Files: 2dc1736853804ff4442967079c07c00f 5308 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414-1.dsc 2f288da7d163b555955e1351203cb972 11268 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xamr.tar.xz e36d4f45ad47523be5f21a88e8b6c0d8 21936 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xmp3.tar.xz a28346e11689859feea371218e977f53 22548 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xopus.tar.xz a78abc4cc71ec9824d88199aa0166bf5 5841276 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig-Xpjproject.tar.xz efc62ae650319ee435fa918fbb2e228f 7299936 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414.orig.tar.xz 0ca4f3f23d0680c9bef4ee3e72d4b516 134696 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414-1.debian.tar.xz 166c928c49e8f3ce2c18d18ffebab5bd 26812 comm optional asterisk_20.5.1~dfsg+~cs6.13.40431414-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmWB0rIACgkQLHwxRsGg ASGr0A//VULrbnQUUoY3VpRfk6LEDjK8frynkJVHefbfftz9HFkt+tHH+F6laQSo EMk/45vRewmkJS48BY5on+PF1imI6sSVsczU7eE05SHQyDL9FQ4TJ98Ly7AlZRmk ZMrJ9h6WJv72au8lbqy1+JD7ia6MBv6vb1jUL3XejAgRjXp17bH9X6PEHFuM061A F3lLFJqzY/gxMtUpcxA+jJbZSTpWf3e7JkpF8h/yhhLTfISeyy0b/GYB6Nr+xCem XMPJDQxsqXjdZvblc1tf5lTSwBOxeFHDTxQwRBMeNV2Slzx8qZRr8RNgfL7j2vnu HmesRfF7RzC+VapZSYQIcaFXkXTV0RDuObWiUlCULYzZ4eO1PUh5K4vd6uibf2nS DHga9D0L8hYehwrlcCDar42yqj9CIdfHMsaFoeW5GKZKqL0ICMZlkUqD5nGs6+AW q8iAfbPuHE1N/zg1yzZ6XJ5Tz5o04neOiLrKHMlRMPMpCFcOggnJGJAkflrsCQCP +PlTYBIQ4z27ngys2jD0tPNEUZZKFgQpuMIb7hSmmXqlqxadsSQVNj7QzoscfbpL Qb6+gvsCNjswoN7uSLIUIuVHa57LbXkm0e8dKONsF7rnIXaSOEDXc6kxJxkyv3kH i+WMWunCd95two0tCUb8rSQ51G7xmhz3hQJJN16eao8zw+Dx3hk= =vDy2 -----END PGP SIGNATURE-----
--- End Message ---
