Your message dated Sat, 02 Sep 2017 21:04:16 +0000 with message-id <[email protected]> and subject line Bug#873907: fixed in asterisk 1:13.17.1~dfsg-1 has caused the Debian Bug report #873907, regarding asterisk: CVE-2017-14099: AST-2017-005: Media takeover in RTP stack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 873907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873907 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:asterisk Severity: important Tags: security Asterisk Project Security Advisory - AST-2017-005 Product Asterisk Summary Media takeover in RTP stack Nature of Advisory Unauthorized data disclosure Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On May 17, 2017 Reported By Klaus-Peter Junghanns Posted On Last Updated On August 30, 2017 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name Description The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options for chan_sip and chan_pjsip respectively enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well. Resolution The RTP stack will now only learn a new source address if it has been told to expect the address to change. The RTCP support has now also been updated to drop RTCP reports that are not regarding the RTP session currently in progress. The strict RTP learning progress has also been improved to guard against a flood of RTP packets attempting to take over the media stream. Affected Versions Product Release Series Asterisk Open Source 11.x 11.4.0 Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Certified Asterisk 11.6 All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk 11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-005-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-005-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-005-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-005-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-005.pdf and http://downloads.digium.com/pub/security/AST-2017-005.html Revision History Date Editor Revisions Made May 30, 2017 Joshua Colp Initial Revision Asterisk Project Security Advisory - AST-2017-005 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:13.17.1~dfsg-1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <[email protected]> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Sep 2017 22:34:09 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config Architecture: source Version: 1:13.17.1~dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <[email protected]> Changed-By: Bernhard Schmidt <[email protected]> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-tests - internal test modules of the Asterisk PBX asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 873907 873908 873909 Changes: asterisk (1:13.17.1~dfsg-1) unstable; urgency=high . * New upstream version 13.17.1, fixing three CVEs - CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) - CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) - CVE-2017-14098 / AST-2017-007 Remote Crash Vulerability in res_pjsip (Closes: #873909) Checksums-Sha1: 585568086378cc058e946cb922a082a2664f2873 4268 asterisk_13.17.1~dfsg-1.dsc adb89838e59308fe05bc60693bf01df6b8cfb2f4 6227588 asterisk_13.17.1~dfsg.orig.tar.xz 4401b3804b6f69ef0686266b9b452e1649baabef 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz 4b26a0714b0c6f46df9910656391e2a00d0faab9 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo Checksums-Sha256: 754e2320c060563da2ae69f5948aaff41abca712d94759fd7f40cf3e3de01144 4268 asterisk_13.17.1~dfsg-1.dsc c508880b2ee165016074d75347aa2df00fc88a730db7dc1a8cf1b895e9e8a3ad 6227588 asterisk_13.17.1~dfsg.orig.tar.xz 9722c7c60709d1ddc26d866d3283213f6797b6f7ab9a180dc51fd7c7219af6ec 168376 asterisk_13.17.1~dfsg-1.debian.tar.xz 05f498e47a90b1fa6f81964062c76511d37d333152620e16e5f42ca60bf8e23c 27034 asterisk_13.17.1~dfsg-1_amd64.buildinfo Files: 869d4a0e0654952f2555b89be8d05062 4268 comm optional asterisk_13.17.1~dfsg-1.dsc a1a52404f8938ede9204750c6f5b69db 6227588 comm optional asterisk_13.17.1~dfsg.orig.tar.xz e97d792679034e7a0a29ffb7538a192d 168376 comm optional asterisk_13.17.1~dfsg-1.debian.tar.xz 3c9577153eb8824c2ee7fea8df17bade 27034 comm optional asterisk_13.17.1~dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmrF64RHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJP4/w/+OZb8R2GFu1pkJQ5ZqMrtHx+IZNNM8wTL 6sb3N1b+tAEe9Nb7pARwb100+wyib3S0uIo78kad3VLvXaDGpMjmJVsSptRd0Qy/ M9PNW7vojmXdJTRc5jxbiwhWpKpX1kaq1VIWXhJo/mxVEhaAt15pzbt47heEqyo2 BmzOtGHONyGQG+m9tO4IPIWcpDsgXFc8i5+loROw/WyGxI2k57pJh3jDhPsOMLoN PySDya/Peqi+q60Iy3IHeXDvt39vgTEMUo48fG1PC2Sy6zntN0IIYl/oKmlRZ453 tNQzGYZbxX08fqMMQf7mtvpPcGmYZNdZD5ogthA0uW1MKoQM5h6S+ah/pz52HrDn fSwlwXtRvdYwQkGu8jBv2crerhly0C5pyiK7+CDYoTdRittTH5O1uQP6c5H0hV5C GVKMbG877rbPrI2N1sFXDggM9T1zJ/c73HqC6ecB9DG+jcxdidju9lV4sYJWw9cM b6j9AOwXW6uWZhXZJP+1jxsib0f1acNT0NyHjHASXlbv5lZPVwtpIkg7Ed89fH/k V0SSMrpF2ZA49aUdcff7BcesDqwYcDCJBDaEewzFJYzRleUtMQmImJKXd4f1c5uA O0zCPja7RPRQHpVQOxqUxZfUqDCJR6oWPhLuMJBMsJH3vKHoqnfpDjmxxMR8izEd YN2nioAGtFQ= =5py3 -----END PGP SIGNATURE-----
--- End Message ---
