Package: asterisk Version: 1:16.2.1~dfsg-1 Severity: important Tags: security upstream Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-28465
Hi, The following vulnerability was published for asterisk. CVE-2019-13161[0]: | An issue was discovered in Asterisk Open Source through 13.27.0, 14.x | and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified | Asterisk through 13.21-cert3. A pointer dereference in chan_sip while | handling SDP negotiation allows an attacker to crash Asterisk when | handling an SDP answer to an outgoing T.38 re-invite. To exploit this | vulnerability an attacker must cause the chan_sip module to send a | T.38 re-invite request to them. Upon receipt, the attacker must send | an SDP answer containing both a T.38 UDPTL stream and another media | stream containing only a codec (which is not permitted according to | the chan_sip configuration). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13161 [1] https://issues.asterisk.org/jira/browse/ASTERISK-28465 [2] https://downloads.asterisk.org/pub/security/AST-2019-003.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
