Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>;
Reported by: Bernhard Schmidt <berni@debian.org>
Date: Fri, 1 Sep 2017 06:33:04 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version asterisk/1:11.5.1~dfsg-1
Fixed in versions asterisk/1:13.17.1~dfsg-1, asterisk/1:13.14.1~dfsg-2+deb9u1, asterisk/1:11.13.1~dfsg-2+deb8u3
Done: Bernhard Schmidt <berni@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://issues.asterisk.org/jira/browse/ASTERISK-27103
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#873908; Package src:asterisk.
(Fri, 01 Sep 2017 06:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernhard Schmidt <berni@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Fri, 01 Sep 2017 06:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:asterisk
Severity: important
Tags: security
Asterisk Project Security Advisory - AST-2017-006
Product Asterisk
Summary Shell access command injection in app_minivm
Nature of Advisory Unauthorized command execution
Susceptibility Remote Authenticated Sessions
Severity Moderate
Exploits Known No
Reported On July 1, 2017
Reported By Corey Farrell
Posted On
Last Updated On July 11, 2017
Advisory Contact Richard Mudgett <rmudgett AT digium DOT com>
CVE Name
Description The app_minivm module has an “externnotify†program
configuration option that is executed by the MinivmNotify
dialplan application. The application uses the caller-id
name and number as part of a built string passed to the OS
shell for interpretation and execution. Since the caller-id
name and number can come from an untrusted source, a
crafted caller-id name or number allows an arbitrary shell
command injection.
Resolution Patched Asterisk’s app_minivm module to use a different
system call that passes argument strings in an array instead
of having the OS shell determine the application parameter
boundaries.
Affected Versions
Product Release
Series
Asterisk Open Source 11.x All releases
Asterisk Open Source 13.x All releases
Asterisk Open Source 14.x All releases
Certified Asterisk 11.6 All releases
Certified Asterisk 13.13 All releases
Corrected In
Product Release
Asterisk Open Source 11.25.2, 13.17.1, 14.6.1
Certified Asterisk 11.6-cert17, 13.13-cert5
Patches
SVN URL Revision
http://downloads.asterisk.org/pub/security/AST-2017-006-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2017-006-13.diff Asterisk
13
http://downloads.asterisk.org/pub/security/AST-2017-006-14.diff Asterisk
14
http://downloads.asterisk.org/pub/security/AST-2017-006-11.6.diff Certified
Asterisk
11.6
http://downloads.asterisk.org/pub/security/AST-2017-006-13.13.diff Certified
Asterisk
13.13
Links https://issues.asterisk.org/jira/browse/ASTERISK-27103
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2017-006.pdf and
http://downloads.digium.com/pub/security/AST-2017-006.html
Revision History
Date Editor Revisions Made
July 11, 2017 Richard Mudgett Initial document created
Asterisk Project Security Advisory - AST-2017-006
Copyright © 2017 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
Marked as found in versions asterisk/1:11.5.1~dfsg-1.
Request was from Bernhard Schmidt <berni@debian.org>
to control@bugs.debian.org.
(Fri, 01 Sep 2017 06:39:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Sep 2017 06:45:06 GMT) (full text, mbox, link).
Set Bug forwarded-to-address to 'https://issues.asterisk.org/jira/browse/ASTERISK-27103'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Sep 2017 06:45:06 GMT) (full text, mbox, link).
Changed Bug title to 'asterisk: CVE-2017-14100: AST-2017-006: Shell access command injection inapp_minivm' from 'AST-2017-006: Shell access command injection inapp_minivm'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 02 Sep 2017 17:15:04 GMT) (full text, mbox, link).
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Sat, 02 Sep 2017 21:18:25 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>:
Bug acknowledged by developer.
(Sat, 02 Sep 2017 21:18:25 GMT) (full text, mbox, link).
Message #18 received at 873908-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.17.1~dfsg-1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873908@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Sep 2017 22:34:09 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config
Architecture: source
Version: 1:13.17.1~dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-tests - internal test modules of the Asterisk PBX
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 873907 873908 873909
Changes:
asterisk (1:13.17.1~dfsg-1) unstable; urgency=high
.
* New upstream version 13.17.1, fixing three CVEs
- CVE-2017-14099 / AST-2017-005
Media takeover in RTP stack ("RTP bleed") (Closes: #873907)
- CVE-2017-14100 / AST-2017-006
Shell access command injection in app_minivm (Closes: #873908)
- CVE-2017-14098 / AST-2017-007
Remote Crash Vulerability in res_pjsip (Closes: #873909)
Checksums-Sha1:
585568086378cc058e946cb922a082a2664f2873 4268 asterisk_13.17.1~dfsg-1.dsc
adb89838e59308fe05bc60693bf01df6b8cfb2f4 6227588 asterisk_13.17.1~dfsg.orig.tar.xz
4401b3804b6f69ef0686266b9b452e1649baabef 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz
4b26a0714b0c6f46df9910656391e2a00d0faab9 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo
Checksums-Sha256:
754e2320c060563da2ae69f5948aaff41abca712d94759fd7f40cf3e3de01144 4268 asterisk_13.17.1~dfsg-1.dsc
c508880b2ee165016074d75347aa2df00fc88a730db7dc1a8cf1b895e9e8a3ad 6227588 asterisk_13.17.1~dfsg.orig.tar.xz
9722c7c60709d1ddc26d866d3283213f6797b6f7ab9a180dc51fd7c7219af6ec 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz
05f498e47a90b1fa6f81964062c76511d37d333152620e16e5f42ca60bf8e23c 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo
Files:
869d4a0e0654952f2555b89be8d05062 4268 comm optional asterisk_13.17.1~dfsg-1.dsc
a1a52404f8938ede9204750c6f5b69db 6227588 comm optional asterisk_13.17.1~dfsg.orig.tar.xz
e97d792679034e7a0a29ffb7538a192d 168376 comm optional asterisk_13.17.1~dfsg-1.debian.tar.xz
3c9577153eb8824c2ee7fea8df17bade 27034 comm optional asterisk_13.17.1~dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmrF64RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJP4/w/+OZb8R2GFu1pkJQ5ZqMrtHx+IZNNM8wTL
6sb3N1b+tAEe9Nb7pARwb100+wyib3S0uIo78kad3VLvXaDGpMjmJVsSptRd0Qy/
M9PNW7vojmXdJTRc5jxbiwhWpKpX1kaq1VIWXhJo/mxVEhaAt15pzbt47heEqyo2
BmzOtGHONyGQG+m9tO4IPIWcpDsgXFc8i5+loROw/WyGxI2k57pJh3jDhPsOMLoN
PySDya/Peqi+q60Iy3IHeXDvt39vgTEMUo48fG1PC2Sy6zntN0IIYl/oKmlRZ453
tNQzGYZbxX08fqMMQf7mtvpPcGmYZNdZD5ogthA0uW1MKoQM5h6S+ah/pz52HrDn
fSwlwXtRvdYwQkGu8jBv2crerhly0C5pyiK7+CDYoTdRittTH5O1uQP6c5H0hV5C
GVKMbG877rbPrI2N1sFXDggM9T1zJ/c73HqC6ecB9DG+jcxdidju9lV4sYJWw9cM
b6j9AOwXW6uWZhXZJP+1jxsib0f1acNT0NyHjHASXlbv5lZPVwtpIkg7Ed89fH/k
V0SSMrpF2ZA49aUdcff7BcesDqwYcDCJBDaEewzFJYzRleUtMQmImJKXd4f1c5uA
O0zCPja7RPRQHpVQOxqUxZfUqDCJR6oWPhLuMJBMsJH3vKHoqnfpDjmxxMR8izEd
YN2nioAGtFQ=
=5py3
-----END PGP SIGNATURE-----
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Fri, 29 Sep 2017 11:36:14 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>:
Bug acknowledged by developer.
(Fri, 29 Sep 2017 11:36:14 GMT) (full text, mbox, link).
Message #23 received at 873908-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:13.14.1~dfsg-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873908@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Sep 2017 23:21:14 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config
Architecture: source all amd64
Version: 1:13.14.1~dfsg-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 873907 873908
Changes:
asterisk (1:13.14.1~dfsg-2+deb9u1) stretch-security; urgency=high
.
* CVE-2017-14099 / AST-2017-005
Media takeover in RTP stack ("RTP bleed") (Closes: #873907)
* CVE-2017-14100 / AST-2017-006
Shell access command injection in app_minivm (Closes: #873908)
Checksums-Sha1:
c9d61e64a623e16c06938b5bd80903f7fe20c213 4133 asterisk_13.14.1~dfsg-2+deb9u1.dsc
ad3b0601910c7b9debd8edee25bcfe985666280f 6152096 asterisk_13.14.1~dfsg.orig.tar.xz
dd4f94d834e2fb3dcc8a200ad025c33a55b022d3 136656 asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz
d1826495277caa1796c4b2f64913a03b5e889c59 1121336 asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb
ad02e2e0ac0d322825ba9b6db969178a7188fcce 551216 asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
4b9fdae2ac5bc0653040d8956b5440da5809cdfe 959542 asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb
3f92ad81f31192e65e39532f4513fc03d54cabef 3319414 asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
3b05d31a68fa9e14c9629dfdadd0b4d1d17b3eb4 1155604 asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb
9983e1300f11b00160c82fada0825fcedf868dc7 1462298 asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb
4b34c69389516bc98e03f91d05822245744231fc 69604 asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
b677cb381727478f408ea475e2f77064552e3eac 755022 asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb
5f763de4e62b44c105dd531971f56ca6b9288ce3 8976888 asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
0fa09e886ee96dd73b7fabf8d92fb735013e0f04 2898068 asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb
490dd9cc747a9be219ed2b167439ed757f6a0e88 44148 asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
1637a367c0f471726031dab17197bbfc8e945ad4 743844 asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb
8a24fd2cf1518ab55d2b98a8ce487fffe35350b5 112668 asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
0c8f984e92db5a774ad75ea9095bf4f4fd27712c 758840 asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb
debf5fb17a2c52fd7e262c57fe408cca7b0bd92d 1399314 asterisk-ooh323-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
a1b1387591993863a8b813c5c3971b4849765f15 1058338 asterisk-ooh323_13.14.1~dfsg-2+deb9u1_amd64.deb
47672e20de60e7c1c9fd2ae818ea44df978db42c 210360 asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
d78437e460c72cd5362f260df248d4f5c89018a2 246734 asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
2a53655175ce7a35aeb99c09cd7ace2128650625 822656 asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb
4e2715e9a68d076ef5f6c88ba5be09fe1b1c59e4 221848 asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
cbc2f82f1689f1058ffe73c1462ab0207cb5121b 811788 asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb
47ca23634ee7aa213d137de55c6ff3301b804458 806008 asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb
9039f0440370c80f5654165ef8cb29397873d621 66014 asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
9e1b6b220872d4a825dfa25d759cfd67be514d76 746378 asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb
3739cb69e9d7cb0072f3b4a9e4ba0e826d069d65 26743 asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo
ca5f04b19d075e68b3ad0e9c4443049a4a90be75 2213966 asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb
Checksums-Sha256:
12e241e57f000a094f2c0d90dfadf7eadd27a27a734c0c3bb7e90a3f65195e10 4133 asterisk_13.14.1~dfsg-2+deb9u1.dsc
9f52c386cb3eec6f01af7f1e03818280870896defde0da9f8f032db351a642b7 6152096 asterisk_13.14.1~dfsg.orig.tar.xz
4a7e128a65ae4a703b43c681bce9ba826b1031a4fcf0415e088be66cc841183a 136656 asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz
d73366d2697187be7db85fff0710d290a47036e7d38dcb5c1850f4fa82d3f249 1121336 asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb
ece27ed91fde070efbd2390e86e59294f4538f64c093f0e763152791d0b661e1 551216 asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
8ff821a64b253ff3da54bb0dcbb8d214b52796d8cf7e526f17bb6e8e817b5ba4 959542 asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb
b81cb049a3c9d0d98875fb8d357ebd61aabf7b1543962b4e22fd7320387d7508 3319414 asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
3a98375472d6fdd7bcdbd3397935b23e64ed52f74bb1f80fcdf9e6c04d8206a4 1155604 asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb
3856628e6bcd0cebd51694b9dec36d82d37eafbb82bc62460221af70e35dd257 1462298 asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb
3ff8fc5224bfa884567419630b576a5022caecea47b77fc35a8b18ee6b5421a3 69604 asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
b4c3fb29472808ce83cb7445fba03ec05ae0e8206256685bd66e193718c92479 755022 asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb
20ece0b7519edcd837f6e49702056748456aac53afcb19c5c822acb11c3892e2 8976888 asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
f4468a4220947550d9e7737d2568302ca72f7ffa4e6cf31e5bfad64f983b7d4a 2898068 asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb
aa7b3a559134c6ff2cac2b8eae7c96362dcdd92a9a3a65660c328205eb75c3b0 44148 asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
4f52c43320ca622e1af000ac33de89a741fe28179b2f4d46c303eead0616dba4 743844 asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb
7ddc9b02261858f626cada87e3f5fc371c87dfb6cb57ade680a3ec9793a657ac 112668 asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
abc4fb4b8aafa3bb4db62da50e0d7db6da980f74bb3823cd6feb18865de34c47 758840 asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb
7c69d3c61f6ea48815837ae127bebf10dd54a92b2ee1757bca901d095234e459 1399314 asterisk-ooh323-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
d7c1c64ae618e1f84b27e2654ba501c9ca5148831c82e953d3b305558b11afc9 1058338 asterisk-ooh323_13.14.1~dfsg-2+deb9u1_amd64.deb
dfd2f28856c6be50cdb82f9bd7cffca524d2f7215d1764c3e50952a498de9994 210360 asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
8d158df39505c56607b0fa63bce34a1c446c8356830351e011c1483572a68154 246734 asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
7da7c2d2435d9857d6881fa3c56e6e2230b33576a68def8ff021e237c9fd0dbb 822656 asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb
9cc54a78a82c7e07032edf90d90a4098647f6af0be25df10b676dc012375aeeb 221848 asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
b82f31295debced4761469fe6eb799d62d13f3af779192ab9ddf676fff175ddc 811788 asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb
62375d135c01c8daa08b2345c73931c502759a0e01aa277e1c530b5eb537651e 806008 asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb
a75182bcc9911b95634ff52d47f4c2ab79f0b10fe2f78f39659a0c329100e2a9 66014 asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
487c56bd575e32351344b7811cfabdbee51a918693cb6ae0515dfccee27108d7 746378 asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb
02e0c957af9d0ea0d327110ca1fab044e76722cd872d948685b2d8c83421f152 26743 asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo
8abfdc54f4439ba5019ba301e95c3a99752b251da9e534ac35f0eea6c2a106f8 2213966 asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb
Files:
df79290dfcbbcda537466e52356e0008 4133 comm optional asterisk_13.14.1~dfsg-2+deb9u1.dsc
6db73384168c17ebe6160ba96c5c6209 6152096 comm optional asterisk_13.14.1~dfsg.orig.tar.xz
5e67b21b5cb715519bb775e22c091f43 136656 comm optional asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz
895a21dfe78de164dc3b561c106a1c90 1121336 comm optional asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb
7f269a992420cde13d0ba9bb5f821bc3 551216 debug extra asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
5021d551014f1ef664543068372f44af 959542 comm optional asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb
02596e9b6d5f81f89b85bb298dea0702 3319414 debug extra asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
cc4dab75442674af099585a40554202c 1155604 devel extra asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb
7053b40c86687f1abebbc5549547bebe 1462298 doc extra asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb
11c07513b96a6e7a9fa35b2c3e7f61f2 69604 debug extra asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
09bf68199d3cc5dd8ed30c14b3db4a2e 755022 comm optional asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb
559b7d2b63b2290f50fbd1515a7bf568 8976888 debug extra asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
defe698690bf1bc0e2c789f5c21ce330 2898068 libs optional asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb
1b45d9df5bbfbc92f4fe3123b7628220 44148 debug extra asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
6657a9aa80fd7e84924b14e059a779d9 743844 comm optional asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb
19b89e9291c771cf72563712bf9e529e 112668 debug extra asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
1a49abd838bc5f864d2c5e75c41f901b 758840 comm optional asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb
716b1863577965196e54de64b8b78af0 1399314 debug extra asterisk-ooh323-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
5cb2044470744c9951df8bf5a54988aa 1058338 comm optional asterisk-ooh323_13.14.1~dfsg-2+deb9u1_amd64.deb
8a49d668553539639b1d5d1ab4e7439c 210360 debug extra asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
e86ea5cd3eb4ba3369e4037c342103e5 246734 debug extra asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
d24e0ded17ac7e3da6ba29fe3a83e9cc 822656 comm optional asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb
ed69d359f683fa7fb15ec34b6ce4ca0f 221848 debug extra asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
3065f5da3fbf71442da925a7fc025920 811788 comm optional asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb
946c0f6346c2af086a8a440e02854b0f 806008 comm optional asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb
8163949fa4b1ad556540e1cc9bb889ed 66014 debug extra asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb
d0fa3cd9d2e1fe34dd623158bd2a34af 746378 comm optional asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb
9036f8df8f5c85690367bee3653d0321 26743 comm optional asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo
24d6f0310762a1a0c69b800965438d39 2213966 comm optional asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmtEC8RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPGYw/9FpIPiEzcenxdN/94UTrLSsuS4GwG7WMy
0zkGthml+bsd/B0S9KwBSHpFi9MQdeq6OcEdyrRJF7BncXUqnSU+MB/IlBk0Svdx
5IWEVNtNUZzf1GA/KQtwnDJnCHksC/ahdh8CQrs+/5keZzcR4M0Q/6UNwiADlp8l
sLZi4kfCXDgTEJ0q8z9fvbKCCS0r+kjb4DIiHYxrc7u8rRaQYkwcS3zUxJSqpS5C
86gxa9iUEZ7I9uezsTAnOKCy5TIlrOCucHumns7thlyOcsZajBULTkYzun5lAoQH
e8bEYlio+bg3r6vooW+Mb1aCygctLSia2fbgLv9SmNyGy6ZpFCVuK2HzE4ro8MFE
OKV5hcV5U40dkOlNbWWCW3s9bwRqmUA618qCfjLy9oja2iMF2qVE/ThGBipH/4ue
gsO9W4fmMGJgIfxDGdZKU+yPMvla3qwd2iJ3B8twpYYQxttZpGECCfKxFCFdbwG5
Ne/SM11/6QDrm0Ba5TlcHZGSdH3MKm5gegXjfn0UX6l9Kuj7HXxqSnDZnURkb7hY
hmR2CfOg/bfOtHRRUUH0AQR6Po8H/iVdE07c4CCWm+FJx0+jsZJJDyxTt2Nfuhz7
mEebXzR/Z5hFHuIvdTmEnirnOZemeaKtAbz7+PLG7S9T8qOloXzOalu2pdMEjvR1
EAZVCVYu+28=
=ed1J
-----END PGP SIGNATURE-----
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Sun, 08 Oct 2017 10:51:08 GMT) (full text, mbox, link).
Notification sent
to Bernhard Schmidt <berni@debian.org>:
Bug acknowledged by developer.
(Sun, 08 Oct 2017 10:51:08 GMT) (full text, mbox, link).
Message #28 received at 873908-close@bugs.debian.org (full text, mbox, reply):
Source: asterisk
Source-Version: 1:11.13.1~dfsg-2+deb8u3
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873908@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Sep 2017 22:46:15 +0200
Source: asterisk
Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config
Architecture: source amd64 all
Version: 1:11.13.1~dfsg-2+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
asterisk - Open Source Private Branch Exchange (PBX)
asterisk-config - Configuration files for Asterisk
asterisk-dahdi - DAHDI devices support for the Asterisk PBX
asterisk-dbg - Debugging symbols for Asterisk
asterisk-dev - Development files for Asterisk
asterisk-doc - Source code documentation for Asterisk
asterisk-mobile - Bluetooth phone support for the Asterisk PBX
asterisk-modules - loadable modules for the Asterisk PBX
asterisk-mp3 - MP3 playback support for the Asterisk PBX
asterisk-mysql - MySQL database protocol support for the Asterisk PBX
asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c
asterisk-voicemail - simple voicemail support for the Asterisk PBX
asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX
asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX
asterisk-vpb - VoiceTronix devices support for the Asterisk PBX
Closes: 873907 873908
Changes:
asterisk (1:11.13.1~dfsg-2+deb8u3) jessie-security; urgency=high
.
* CVE-2017-14099 / AST-2017-005
Media takeover in RTP stack ("RTP bleed") (Closes: #873907)
* CVE-2017-14100 / AST-2017-006
Shell access command injection in app_minivm (Closes: #873908)
Checksums-Sha1:
ba66fde1252168c5a31c05912ee2f14082d6e074 4050 asterisk_11.13.1~dfsg-2+deb8u3.dsc
a1abcdd064f8847a7006c71ddff6b7698379f9b5 114412 asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz
178ffd3d6406f39f4d2fd87adb35fbc6c6106e30 1665916 asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb
f1499ddfbf60e8ce1c7304ea73225bf48d8930ba 2128800 asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb
803499e67f82ffa3e4ad93391708e2ab64e2245d 704826 asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb
10de9d3b38ffe9f53f0d04e027f9c97bbb2bd762 508386 asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb
a8b452f46c6ab000e97e31219de44cc37db59f43 564176 asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb
829e738bed45429bb863fa486f96d2b57833d5a5 580148 asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
40653d800ff1ead26e6b28189f4365a758132c2b 570340 asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
675a1bae4d409596d62d5047c78b618464f15d05 819306 asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb
ec8f0ba389108f9831739f040eb78645f71f78ee 504114 asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb
92c7e907f14258a0ee1b5a1b53c9c27ec385fff6 522080 asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb
b9c60a4f3e2a19edf90bb6000ea826ad2416b9aa 514292 asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb
6116e68542cd8743afe0d94a1ae9ba853f56ca4a 2360376 asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb
f3cc087914d0c8bf66421f7863db1db95e067fce 792286 asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb
90f97fb45da6b1a7188ee71d1d8b04e9c6fa4228 6461798 asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb
92e7d3180481d3f5198aa936ce6315b8ed5afac4 840252 asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb
Checksums-Sha256:
2c2e290dc05235c8b46a02328e70dea4a557ef849e5adcd98f98cb6d0c1f1ffb 4050 asterisk_11.13.1~dfsg-2+deb8u3.dsc
49403c25c608ff4d7e7b4f641fe0a4589b6e9522e5c2652a02c36c543b6f3091 114412 asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz
5b1773ee280034d03aae8e684449b297715c8e474b162f2bc574a54858335f1b 1665916 asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb
6c78efcea97933669c6ebac7527e6f65531c5f56556c5fc6f4279f1b0e56daf8 2128800 asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb
ba30b6f37fd8041b02ff904c61901a65ca3c1ff67704a68096bf35091f8d6432 704826 asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb
070b7366bc3a98faf63cb03ec7737ba9437ab94dc26efe53cdc3401de5965ac4 508386 asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb
95b1835e2232e412734b1776e71d4f3f6594a101809a61266a26b7ba5fe612e4 564176 asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb
6fbfa42e39edbe41536be98689cce514b6afb56611787850749bf6a19ffc0005 580148 asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
2ab8428024067d4d34b28a810c8c2d7734d9e786eddf165c6257ecc8d730f5a2 570340 asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
90094e7c34f8062cf022f03e23c58ce03a8b1018621073b8ae4fdfb2f766f39f 819306 asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb
60afbd04e5900f436c2235e0806bbf058ef2eda1239e0a7c9f50a78093fd9da6 504114 asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb
da602c6a6bbcc7df0b91f7a0b1acd9a26975f0c0c21c2f9ef2afbb1274cf32d3 522080 asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb
386f6686140c8c246d96acf63e0cfd76daadbf124d3a36b5e9291d6c96db076e 514292 asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb
6be3bbba01b7049d405ae55440ff45787f51466754bf7678dfce823bf52323c6 2360376 asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb
6a96546a332dfead61368a29af4b108ad63fef229ee75b668cfb26ea734cf968 792286 asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb
5b83dfcd873725da2ee6e735fe005a8a34697c4703092a1cdfc1fdf688f1915d 6461798 asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb
d0a40c17be39367972127dd300330a50bf4437265e593abac330384842fc5605 840252 asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb
Files:
e22715099f00d6a5420f488eb4bc5fb8 4050 comm optional asterisk_11.13.1~dfsg-2+deb8u3.dsc
fe166d63e55573900341a0b3aba17022 114412 comm optional asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz
576d24d3bb6b6357704a6d719a094773 1665916 comm optional asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb
d5999086336713fc9075d0782c7f4581 2128800 libs optional asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb
ecfac416f0315d03a64c8189f97470e6 704826 comm optional asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb
66cf9f220c089b4200c5b594824c47b9 508386 comm optional asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb
be8f435b12bed682d4bb6ee309790de5 564176 comm optional asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb
39f9af8eed9e40355e97a01d74cb94bd 580148 comm optional asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
e9e1c08b58e2e1cc036d785f013f5a2f 570340 comm optional asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb
0816d2104673daf0bdab407097f8259b 819306 comm optional asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb
450b3e8719597049900c4eb9e1bb6842 504114 comm optional asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb
e52ccfe2e7584e9b404a92ecbe4a2508 522080 comm optional asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb
5f56127d4801ee8a8ee79d951766c839 514292 comm optional asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb
deb4b6c5cd4ed9e1f3bf8da85f078e4d 2360376 doc extra asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb
c1c4e39ea08493f487d418379789a6ef 792286 devel extra asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb
065b26d3d3a3f416613219bea62cfd4a 6461798 debug extra asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb
d04d5353a0aabf8fe40157636a02eb4c 840252 comm optional asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmtCCIRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNRUg//UVxIa3GJ9QbooyGTxtfr+97U3oPh3+LF
FFomgiVY8xaHuSJqNa3vnOWOswaDf8nDuAglJgV2VNxItOIBevuWGbHB/rSdM+P6
89PkGiQ46ynLdpicSI82YfkcCtM3M3o1e5yrpy+wDLuUjLSX2LHHp6D62GgUSTKr
Snv1JaE7KcjUAsahueDzv0ddu+RcQdeQyGXmPHFZ7jyjZk9wsqJChjmK0DMFvpjD
pNM0MQ23yw0fBsSWKHEPNPhp/UjD5edfet8853i95D84llKeKOw5CDcnLf/Kaicb
s6nsm0bC1mrnFWkYG8UQIpZUflF+RtO9w+ZS1zjApSBDGEe1WgziH3gfS9DkB4yX
lMS7Qw8lwJbaf4fvLhq76RlAvEJ3Uq1t1qunqeetRE7t8LjXR5Tp0E3/fr+2igbY
xdgDaMS+b6se8ePBqQyhbCTSrazGv0dArgK6JZjE7JWUL8pnKEd5XNxs5q2pBtj6
UOurhTzBYhijF6ha+rImIHuRMLysOf6QCSgNsQ0/DVcFW4SbzoFCsgrk7aIeNUWp
vVfiEU434PDTr7T57OE2fyYHTiwIrqmcbgUGZazm33kYFf5JUhPG0uJ/nZUVxi0y
nAykXdmLutNy5mVlP89kZPHUcl4dDR8pQzvsc1PH0u6tAavYuPeJO3oe9J3f+x+6
+5zOC/CCp+M=
=H+qx
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 09 Nov 2017 07:25:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.