Your message dated Sun, 08 Oct 2017 10:47:28 +0000 with message-id <[email protected]> and subject line Bug#873907: fixed in asterisk 1:11.13.1~dfsg-2+deb8u3 has caused the Debian Bug report #873907, regarding asterisk: CVE-2017-14099: AST-2017-005: Media takeover in RTP stack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 873907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873907 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:asterisk Severity: important Tags: security Asterisk Project Security Advisory - AST-2017-005 Product Asterisk Summary Media takeover in RTP stack Nature of Advisory Unauthorized data disclosure Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On May 17, 2017 Reported By Klaus-Peter Junghanns Posted On Last Updated On August 30, 2017 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name Description The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options for chan_sip and chan_pjsip respectively enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well. Resolution The RTP stack will now only learn a new source address if it has been told to expect the address to change. The RTCP support has now also been updated to drop RTCP reports that are not regarding the RTP session currently in progress. The strict RTP learning progress has also been improved to guard against a flood of RTP packets attempting to take over the media stream. Affected Versions Product Release Series Asterisk Open Source 11.x 11.4.0 Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Certified Asterisk 11.6 All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk 11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-005-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-005-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-005-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-005-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-005.pdf and http://downloads.digium.com/pub/security/AST-2017-005.html Revision History Date Editor Revisions Made May 30, 2017 Joshua Colp Initial Revision Asterisk Project Security Advisory - AST-2017-005 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:11.13.1~dfsg-2+deb8u3 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <[email protected]> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Sep 2017 22:46:15 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-dbg asterisk-config Architecture: source amd64 all Version: 1:11.13.1~dfsg-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian VoIP Team <[email protected]> Changed-By: Bernhard Schmidt <[email protected]> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dbg - Debugging symbols for Asterisk asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 873907 873908 Changes: asterisk (1:11.13.1~dfsg-2+deb8u3) jessie-security; urgency=high . * CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) * CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) Checksums-Sha1: ba66fde1252168c5a31c05912ee2f14082d6e074 4050 asterisk_11.13.1~dfsg-2+deb8u3.dsc a1abcdd064f8847a7006c71ddff6b7698379f9b5 114412 asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz 178ffd3d6406f39f4d2fd87adb35fbc6c6106e30 1665916 asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb f1499ddfbf60e8ce1c7304ea73225bf48d8930ba 2128800 asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb 803499e67f82ffa3e4ad93391708e2ab64e2245d 704826 asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb 10de9d3b38ffe9f53f0d04e027f9c97bbb2bd762 508386 asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb a8b452f46c6ab000e97e31219de44cc37db59f43 564176 asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb 829e738bed45429bb863fa486f96d2b57833d5a5 580148 asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 40653d800ff1ead26e6b28189f4365a758132c2b 570340 asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 675a1bae4d409596d62d5047c78b618464f15d05 819306 asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb ec8f0ba389108f9831739f040eb78645f71f78ee 504114 asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb 92c7e907f14258a0ee1b5a1b53c9c27ec385fff6 522080 asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb b9c60a4f3e2a19edf90bb6000ea826ad2416b9aa 514292 asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb 6116e68542cd8743afe0d94a1ae9ba853f56ca4a 2360376 asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb f3cc087914d0c8bf66421f7863db1db95e067fce 792286 asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb 90f97fb45da6b1a7188ee71d1d8b04e9c6fa4228 6461798 asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb 92e7d3180481d3f5198aa936ce6315b8ed5afac4 840252 asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb Checksums-Sha256: 2c2e290dc05235c8b46a02328e70dea4a557ef849e5adcd98f98cb6d0c1f1ffb 4050 asterisk_11.13.1~dfsg-2+deb8u3.dsc 49403c25c608ff4d7e7b4f641fe0a4589b6e9522e5c2652a02c36c543b6f3091 114412 asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz 5b1773ee280034d03aae8e684449b297715c8e474b162f2bc574a54858335f1b 1665916 asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb 6c78efcea97933669c6ebac7527e6f65531c5f56556c5fc6f4279f1b0e56daf8 2128800 asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb ba30b6f37fd8041b02ff904c61901a65ca3c1ff67704a68096bf35091f8d6432 704826 asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb 070b7366bc3a98faf63cb03ec7737ba9437ab94dc26efe53cdc3401de5965ac4 508386 asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb 95b1835e2232e412734b1776e71d4f3f6594a101809a61266a26b7ba5fe612e4 564176 asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb 6fbfa42e39edbe41536be98689cce514b6afb56611787850749bf6a19ffc0005 580148 asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 2ab8428024067d4d34b28a810c8c2d7734d9e786eddf165c6257ecc8d730f5a2 570340 asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 90094e7c34f8062cf022f03e23c58ce03a8b1018621073b8ae4fdfb2f766f39f 819306 asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb 60afbd04e5900f436c2235e0806bbf058ef2eda1239e0a7c9f50a78093fd9da6 504114 asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb da602c6a6bbcc7df0b91f7a0b1acd9a26975f0c0c21c2f9ef2afbb1274cf32d3 522080 asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb 386f6686140c8c246d96acf63e0cfd76daadbf124d3a36b5e9291d6c96db076e 514292 asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb 6be3bbba01b7049d405ae55440ff45787f51466754bf7678dfce823bf52323c6 2360376 asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb 6a96546a332dfead61368a29af4b108ad63fef229ee75b668cfb26ea734cf968 792286 asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb 5b83dfcd873725da2ee6e735fe005a8a34697c4703092a1cdfc1fdf688f1915d 6461798 asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb d0a40c17be39367972127dd300330a50bf4437265e593abac330384842fc5605 840252 asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb Files: e22715099f00d6a5420f488eb4bc5fb8 4050 comm optional asterisk_11.13.1~dfsg-2+deb8u3.dsc fe166d63e55573900341a0b3aba17022 114412 comm optional asterisk_11.13.1~dfsg-2+deb8u3.debian.tar.xz 576d24d3bb6b6357704a6d719a094773 1665916 comm optional asterisk_11.13.1~dfsg-2+deb8u3_amd64.deb d5999086336713fc9075d0782c7f4581 2128800 libs optional asterisk-modules_11.13.1~dfsg-2+deb8u3_amd64.deb ecfac416f0315d03a64c8189f97470e6 704826 comm optional asterisk-dahdi_11.13.1~dfsg-2+deb8u3_amd64.deb 66cf9f220c089b4200c5b594824c47b9 508386 comm optional asterisk-vpb_11.13.1~dfsg-2+deb8u3_amd64.deb be8f435b12bed682d4bb6ee309790de5 564176 comm optional asterisk-voicemail_11.13.1~dfsg-2+deb8u3_amd64.deb 39f9af8eed9e40355e97a01d74cb94bd 580148 comm optional asterisk-voicemail-imapstorage_11.13.1~dfsg-2+deb8u3_amd64.deb e9e1c08b58e2e1cc036d785f013f5a2f 570340 comm optional asterisk-voicemail-odbcstorage_11.13.1~dfsg-2+deb8u3_amd64.deb 0816d2104673daf0bdab407097f8259b 819306 comm optional asterisk-ooh323_11.13.1~dfsg-2+deb8u3_amd64.deb 450b3e8719597049900c4eb9e1bb6842 504114 comm optional asterisk-mp3_11.13.1~dfsg-2+deb8u3_amd64.deb e52ccfe2e7584e9b404a92ecbe4a2508 522080 comm optional asterisk-mysql_11.13.1~dfsg-2+deb8u3_amd64.deb 5f56127d4801ee8a8ee79d951766c839 514292 comm optional asterisk-mobile_11.13.1~dfsg-2+deb8u3_amd64.deb deb4b6c5cd4ed9e1f3bf8da85f078e4d 2360376 doc extra asterisk-doc_11.13.1~dfsg-2+deb8u3_all.deb c1c4e39ea08493f487d418379789a6ef 792286 devel extra asterisk-dev_11.13.1~dfsg-2+deb8u3_all.deb 065b26d3d3a3f416613219bea62cfd4a 6461798 debug extra asterisk-dbg_11.13.1~dfsg-2+deb8u3_amd64.deb d04d5353a0aabf8fe40157636a02eb4c 840252 comm optional asterisk-config_11.13.1~dfsg-2+deb8u3_all.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmtCCIRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJNRUg//UVxIa3GJ9QbooyGTxtfr+97U3oPh3+LF FFomgiVY8xaHuSJqNa3vnOWOswaDf8nDuAglJgV2VNxItOIBevuWGbHB/rSdM+P6 89PkGiQ46ynLdpicSI82YfkcCtM3M3o1e5yrpy+wDLuUjLSX2LHHp6D62GgUSTKr Snv1JaE7KcjUAsahueDzv0ddu+RcQdeQyGXmPHFZ7jyjZk9wsqJChjmK0DMFvpjD pNM0MQ23yw0fBsSWKHEPNPhp/UjD5edfet8853i95D84llKeKOw5CDcnLf/Kaicb s6nsm0bC1mrnFWkYG8UQIpZUflF+RtO9w+ZS1zjApSBDGEe1WgziH3gfS9DkB4yX lMS7Qw8lwJbaf4fvLhq76RlAvEJ3Uq1t1qunqeetRE7t8LjXR5Tp0E3/fr+2igbY xdgDaMS+b6se8ePBqQyhbCTSrazGv0dArgK6JZjE7JWUL8pnKEd5XNxs5q2pBtj6 UOurhTzBYhijF6ha+rImIHuRMLysOf6QCSgNsQ0/DVcFW4SbzoFCsgrk7aIeNUWp vVfiEU434PDTr7T57OE2fyYHTiwIrqmcbgUGZazm33kYFf5JUhPG0uJ/nZUVxi0y nAykXdmLutNy5mVlP89kZPHUcl4dDR8pQzvsc1PH0u6tAavYuPeJO3oe9J3f+x+6 +5zOC/CCp+M= =H+qx -----END PGP SIGNATURE-----
--- End Message ---
