Your message dated Fri, 02 Jun 2017 09:04:08 +0000 with message-id <[email protected]> and subject line Bug#863902: fixed in pjproject 2.5.5~dfsg-6 has caused the Debian Bug report #863902, regarding pjproject: AST-2017-003: Crash in PJSIP multi-part body parser to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 863902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863902 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:pjproject Version: 2.5.5~dfsg-5 Severity: critical Tags: security patch The following security advisory was published by the Asterisk project for the pjproject third party library. A patch is available. Asterisk Project Security Advisory - AST-2017-003 Product Asterisk Summary Crash in PJSIP multi-part body parser Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On 13 April, 2017 Reported By Sandro Gauci Posted On Last Updated On April 13, 2017 Advisory Contact Mark Michelson <mark DOT michelson AT digium DOT com> CVE Name Description The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash. The issue is within the PJSIP project and not in Asterisk. Therefore, the problem can be fixed without upgrading Asterisk. However, we will be releasing a new version of Asterisk where the bundled version of PJSIP has been updated to have the bug patched. If you are using Asterisk with chan_sip, this issue does not affect you. Resolution We have submitted the error report to the PJProject maintainers and have coordinated a release........... Affected Versions Product Release Series Asterisk Open Source 11.x Unaffected Asterisk Open Source 13.x All versions Asterisk Open Source 14.x All versions Certified Asterisk 13.13 All versions Corrected In Product Release Asterisk Open Source 13.15.1, 14.4.1 Certified Asterisk 13.13-cert4 Patches SVN URL Revision Links https://issues.asterisk.org/jira/browse/ASTERISK-26939 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-003.pdf and http://downloads.digium.com/pub/security/AST-2017-003.html Revision History Date Editor Revisions Made 13 April, 2017 Mark Michelson Initial advisory created Asterisk Project Security Advisory - AST-2017-003 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
--- End Message ---
--- Begin Message ---Source: pjproject Source-Version: 2.5.5~dfsg-6 We believe that the bug you reported is fixed in the latest version of pjproject, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <[email protected]> (supplier of updated pjproject package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 02 Jun 2017 08:59:42 +0200 Source: pjproject Binary: libpjlib-util2 libpjmedia-audiodev2 libpjmedia-codec2 libpjmedia-videodev2 libpjmedia2 libpjnath2 libpjsip-simple2 libpjsip-ua2 libpjsip2 libpjsua2 libpjsua2-2v5 libpj2 libpjproject-dev python-pjproject Architecture: source Version: 2.5.5~dfsg-6 Distribution: unstable Urgency: high Maintainer: Debian VoIP Team <[email protected]> Changed-By: Bernhard Schmidt <[email protected]> Description: libpj2 - PJ Project - PJProject core libraries libpjlib-util2 - PJ Project - helper utilities libpjmedia-audiodev2 - PJ Project - Audio devices libpjmedia-codec2 - PJ Project - Multimedia codecs handling libpjmedia-videodev2 - SIP handling library - video devices libpjmedia2 - PJ Project - VoIP media libpjnath2 - PJ Project - NAT handling libpjproject-dev - PJ Project - development headers libpjsip-simple2 - PJ Project - SIP SIMPLE instant messaging libpjsip-ua2 - SIP handling library - SIP user agent library libpjsip2 - PJ Project - SIP handling library libpjsua2 - PJ Project - Basic VoIP client library libpjsua2-2v5 - PJ Project - Basic VoIP client library python-pjproject - PJ Project - Python bindings Closes: 863901 863902 Changes: pjproject (2.5.5~dfsg-6) unstable; urgency=high . [ Tzafrir Cohen ] * add security patches published by the Asterisk project - AST-2017-002: Buffer Overrun in PJSIP transaction layer (Closes: #863901) - AST-2017-003: Crash in PJSIP multi-part body parser (Closes: #863902) Checksums-Sha1: dd7c583a88dfeb98292ec7b9cfc07b40b5d37648 3306 pjproject_2.5.5~dfsg-6.dsc aa0367ef2d2fddf62a5533d9a8d410c5b450f028 43188 pjproject_2.5.5~dfsg-6.debian.tar.xz 66350916ee0b4b1da023bc758069bd52e639c6cb 22024 pjproject_2.5.5~dfsg-6_amd64.buildinfo Checksums-Sha256: a7df9e73b4688b373d4397c1d0f440264671209e0127a8bce8d9309d14b8b476 3306 pjproject_2.5.5~dfsg-6.dsc 5cf61b65d7e9920a6c60d8e12934c20a395ad860e12f79f4e60ff70e3895053e 43188 pjproject_2.5.5~dfsg-6.debian.tar.xz 827b52f95ef7ebacc3965e23d4aabf4bd8ea649b988b44eb243a2c2ecdc83ca5 22024 pjproject_2.5.5~dfsg-6_amd64.buildinfo Files: d0579bf71839c0c2091d1feaddb54f2c 3306 comm optional pjproject_2.5.5~dfsg-6.dsc 84b4b9b6f47fb692f4f87110f3ca1118 43188 comm optional pjproject_2.5.5~dfsg-6.debian.tar.xz e4685696584e16a441249d18e0a1302d 22024 comm optional pjproject_2.5.5~dfsg-6_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlkxF1sRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJP3Jg/8DRXGgUOBcqVkRD2dKsGIEKE+kFHngUN2 VEg7dm8V0nl5r+SqxmPxBEcdn95Ipj9DUIktW3wtaYW+fdKxNQmHt+k3bVADNqTA PIN5IRbhXOohe7OFIbT6dQ5x7wYGxUhJqmLMF7bhlTZsMxiFRVnDFgrr+KWQzZ6Q KFikDGLPZhWBY/KG1XITPJxCuIWTuEKvPzLQ3Icjj1W8SjmtnUhUVaQspnqG9FgH PD15RIamZbFzlAtk76NJ8R/dCmoggc1LYBazfX085xJtLr7V914MBbGHGSqVRokp JvZZyJwzJS9nFmAmzOyjBZGjmvNCaqcrMmOXN73wEnrBLD/6qcgy+PFkxXuzTO5C K5mTSFfkkEVutF6hFJjsMI40OSTIwhYIZ6yTkdGLurVQDiXYOkfklZn7yWkXJWhB e422kkef71W2lLxqf4gbgkIn+dyzCAkIBsfSoyofNu6wLtqOIzhhyjPyN2FXU68B XIecoMUOiV+CrsYoLaqkyWtVxSgyAB8+Om864fO5PF7R3g4YzR9HSsYA5W2htfQw iIOEjvcM7iofVVrfhO/CmYLMGbteH39yrlV3NOx88PPtj4BQnKeghmwdYrf2XqFC HjCi+lfjK/1J/KgYE2ouPpG1sWiEuj8ypiHZBZsgWmdWQjxntGJ0jDd1vZR/TgYi Mt7ZCjTTUQY= =NB97 -----END PGP SIGNATURE-----
--- End Message ---

