Your message dated Fri, 29 Sep 2017 11:32:11 +0000 with message-id <[email protected]> and subject line Bug#873907: fixed in asterisk 1:13.14.1~dfsg-2+deb9u1 has caused the Debian Bug report #873907, regarding asterisk: CVE-2017-14099: AST-2017-005: Media takeover in RTP stack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 873907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873907 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:asterisk Severity: important Tags: security Asterisk Project Security Advisory - AST-2017-005 Product Asterisk Summary Media takeover in RTP stack Nature of Advisory Unauthorized data disclosure Susceptibility Remote Unauthenticated Sessions Severity Critical Exploits Known No Reported On May 17, 2017 Reported By Klaus-Peter Junghanns Posted On Last Updated On August 30, 2017 Advisory Contact Joshua Colp <jcolp AT digium DOT com> CVE Name Description The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by default in Asterisk 11 and above. The "nat" and "rtp_symmetric" options for chan_sip and chan_pjsip respectively enable symmetric RTP support in the RTP stack. This uses the source address of incoming media as the target address of any sent media. This option is not enabled by default but is commonly enabled to handle devices behind NAT. A change was made to the strict RTP support in the RTP stack to better tolerate late media when a reinvite occurs. When combined with the symmetric RTP support this introduced an avenue where media could be hijacked. Instead of only learning a new address when expected the new code allowed a new source address to be learned at all times. If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well. Resolution The RTP stack will now only learn a new source address if it has been told to expect the address to change. The RTCP support has now also been updated to drop RTCP reports that are not regarding the RTP session currently in progress. The strict RTP learning progress has also been improved to guard against a flood of RTP packets attempting to take over the media stream. Affected Versions Product Release Series Asterisk Open Source 11.x 11.4.0 Asterisk Open Source 13.x All Releases Asterisk Open Source 14.x All Releases Certified Asterisk 11.6 All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 11.25.2, 13.17.1, 14.6.1 Certified Asterisk 11.6-cert17, 13.13-cert5 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-005-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2017-005-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-005-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-005-11.6.diff Certified Asterisk 11.6 http://downloads.asterisk.org/pub/security/AST-2017-005-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27013 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-005.pdf and http://downloads.digium.com/pub/security/AST-2017-005.html Revision History Date Editor Revisions Made May 30, 2017 Joshua Colp Initial Revision Asterisk Project Security Advisory - AST-2017-005 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:13.14.1~dfsg-2+deb9u1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <[email protected]> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 02 Sep 2017 23:21:14 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-doc asterisk-dev asterisk-config Architecture: source all amd64 Version: 1:13.14.1~dfsg-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian VoIP Team <[email protected]> Changed-By: Bernhard Schmidt <[email protected]> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 873907 873908 Changes: asterisk (1:13.14.1~dfsg-2+deb9u1) stretch-security; urgency=high . * CVE-2017-14099 / AST-2017-005 Media takeover in RTP stack ("RTP bleed") (Closes: #873907) * CVE-2017-14100 / AST-2017-006 Shell access command injection in app_minivm (Closes: #873908) Checksums-Sha1: c9d61e64a623e16c06938b5bd80903f7fe20c213 4133 asterisk_13.14.1~dfsg-2+deb9u1.dsc ad3b0601910c7b9debd8edee25bcfe985666280f 6152096 asterisk_13.14.1~dfsg.orig.tar.xz dd4f94d834e2fb3dcc8a200ad025c33a55b022d3 136656 asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz d1826495277caa1796c4b2f64913a03b5e889c59 1121336 asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb ad02e2e0ac0d322825ba9b6db969178a7188fcce 551216 asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 4b9fdae2ac5bc0653040d8956b5440da5809cdfe 959542 asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb 3f92ad81f31192e65e39532f4513fc03d54cabef 3319414 asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 3b05d31a68fa9e14c9629dfdadd0b4d1d17b3eb4 1155604 asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb 9983e1300f11b00160c82fada0825fcedf868dc7 1462298 asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb 4b34c69389516bc98e03f91d05822245744231fc 69604 asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb b677cb381727478f408ea475e2f77064552e3eac 755022 asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb 5f763de4e62b44c105dd531971f56ca6b9288ce3 8976888 asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 0fa09e886ee96dd73b7fabf8d92fb735013e0f04 2898068 asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb 490dd9cc747a9be219ed2b167439ed757f6a0e88 44148 asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 1637a367c0f471726031dab17197bbfc8e945ad4 743844 asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb 8a24fd2cf1518ab55d2b98a8ce487fffe35350b5 112668 asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 0c8f984e92db5a774ad75ea9095bf4f4fd27712c 758840 asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb debf5fb17a2c52fd7e262c57fe408cca7b0bd92d 1399314 asterisk-ooh323-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb a1b1387591993863a8b813c5c3971b4849765f15 1058338 asterisk-ooh323_13.14.1~dfsg-2+deb9u1_amd64.deb 47672e20de60e7c1c9fd2ae818ea44df978db42c 210360 asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d78437e460c72cd5362f260df248d4f5c89018a2 246734 asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 2a53655175ce7a35aeb99c09cd7ace2128650625 822656 asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 4e2715e9a68d076ef5f6c88ba5be09fe1b1c59e4 221848 asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb cbc2f82f1689f1058ffe73c1462ab0207cb5121b 811788 asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 47ca23634ee7aa213d137de55c6ff3301b804458 806008 asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb 9039f0440370c80f5654165ef8cb29397873d621 66014 asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 9e1b6b220872d4a825dfa25d759cfd67be514d76 746378 asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb 3739cb69e9d7cb0072f3b4a9e4ba0e826d069d65 26743 asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo ca5f04b19d075e68b3ad0e9c4443049a4a90be75 2213966 asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb Checksums-Sha256: 12e241e57f000a094f2c0d90dfadf7eadd27a27a734c0c3bb7e90a3f65195e10 4133 asterisk_13.14.1~dfsg-2+deb9u1.dsc 9f52c386cb3eec6f01af7f1e03818280870896defde0da9f8f032db351a642b7 6152096 asterisk_13.14.1~dfsg.orig.tar.xz 4a7e128a65ae4a703b43c681bce9ba826b1031a4fcf0415e088be66cc841183a 136656 asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz d73366d2697187be7db85fff0710d290a47036e7d38dcb5c1850f4fa82d3f249 1121336 asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb ece27ed91fde070efbd2390e86e59294f4538f64c093f0e763152791d0b661e1 551216 asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 8ff821a64b253ff3da54bb0dcbb8d214b52796d8cf7e526f17bb6e8e817b5ba4 959542 asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb b81cb049a3c9d0d98875fb8d357ebd61aabf7b1543962b4e22fd7320387d7508 3319414 asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 3a98375472d6fdd7bcdbd3397935b23e64ed52f74bb1f80fcdf9e6c04d8206a4 1155604 asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb 3856628e6bcd0cebd51694b9dec36d82d37eafbb82bc62460221af70e35dd257 1462298 asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb 3ff8fc5224bfa884567419630b576a5022caecea47b77fc35a8b18ee6b5421a3 69604 asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb b4c3fb29472808ce83cb7445fba03ec05ae0e8206256685bd66e193718c92479 755022 asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb 20ece0b7519edcd837f6e49702056748456aac53afcb19c5c822acb11c3892e2 8976888 asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb f4468a4220947550d9e7737d2568302ca72f7ffa4e6cf31e5bfad64f983b7d4a 2898068 asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb aa7b3a559134c6ff2cac2b8eae7c96362dcdd92a9a3a65660c328205eb75c3b0 44148 asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 4f52c43320ca622e1af000ac33de89a741fe28179b2f4d46c303eead0616dba4 743844 asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb 7ddc9b02261858f626cada87e3f5fc371c87dfb6cb57ade680a3ec9793a657ac 112668 asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb abc4fb4b8aafa3bb4db62da50e0d7db6da980f74bb3823cd6feb18865de34c47 758840 asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb 7c69d3c61f6ea48815837ae127bebf10dd54a92b2ee1757bca901d095234e459 1399314 asterisk-ooh323-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d7c1c64ae618e1f84b27e2654ba501c9ca5148831c82e953d3b305558b11afc9 1058338 asterisk-ooh323_13.14.1~dfsg-2+deb9u1_amd64.deb dfd2f28856c6be50cdb82f9bd7cffca524d2f7215d1764c3e50952a498de9994 210360 asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 8d158df39505c56607b0fa63bce34a1c446c8356830351e011c1483572a68154 246734 asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 7da7c2d2435d9857d6881fa3c56e6e2230b33576a68def8ff021e237c9fd0dbb 822656 asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 9cc54a78a82c7e07032edf90d90a4098647f6af0be25df10b676dc012375aeeb 221848 asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb b82f31295debced4761469fe6eb799d62d13f3af779192ab9ddf676fff175ddc 811788 asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 62375d135c01c8daa08b2345c73931c502759a0e01aa277e1c530b5eb537651e 806008 asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb a75182bcc9911b95634ff52d47f4c2ab79f0b10fe2f78f39659a0c329100e2a9 66014 asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 487c56bd575e32351344b7811cfabdbee51a918693cb6ae0515dfccee27108d7 746378 asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb 02e0c957af9d0ea0d327110ca1fab044e76722cd872d948685b2d8c83421f152 26743 asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo 8abfdc54f4439ba5019ba301e95c3a99752b251da9e534ac35f0eea6c2a106f8 2213966 asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb Files: df79290dfcbbcda537466e52356e0008 4133 comm optional asterisk_13.14.1~dfsg-2+deb9u1.dsc 6db73384168c17ebe6160ba96c5c6209 6152096 comm optional asterisk_13.14.1~dfsg.orig.tar.xz 5e67b21b5cb715519bb775e22c091f43 136656 comm optional asterisk_13.14.1~dfsg-2+deb9u1.debian.tar.xz 895a21dfe78de164dc3b561c106a1c90 1121336 comm optional asterisk-config_13.14.1~dfsg-2+deb9u1_all.deb 7f269a992420cde13d0ba9bb5f821bc3 551216 debug extra asterisk-dahdi-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 5021d551014f1ef664543068372f44af 959542 comm optional asterisk-dahdi_13.14.1~dfsg-2+deb9u1_amd64.deb 02596e9b6d5f81f89b85bb298dea0702 3319414 debug extra asterisk-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb cc4dab75442674af099585a40554202c 1155604 devel extra asterisk-dev_13.14.1~dfsg-2+deb9u1_all.deb 7053b40c86687f1abebbc5549547bebe 1462298 doc extra asterisk-doc_13.14.1~dfsg-2+deb9u1_all.deb 11c07513b96a6e7a9fa35b2c3e7f61f2 69604 debug extra asterisk-mobile-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 09bf68199d3cc5dd8ed30c14b3db4a2e 755022 comm optional asterisk-mobile_13.14.1~dfsg-2+deb9u1_amd64.deb 559b7d2b63b2290f50fbd1515a7bf568 8976888 debug extra asterisk-modules-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb defe698690bf1bc0e2c789f5c21ce330 2898068 libs optional asterisk-modules_13.14.1~dfsg-2+deb9u1_amd64.deb 1b45d9df5bbfbc92f4fe3123b7628220 44148 debug extra asterisk-mp3-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 6657a9aa80fd7e84924b14e059a779d9 743844 comm optional asterisk-mp3_13.14.1~dfsg-2+deb9u1_amd64.deb 19b89e9291c771cf72563712bf9e529e 112668 debug extra asterisk-mysql-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 1a49abd838bc5f864d2c5e75c41f901b 758840 comm optional asterisk-mysql_13.14.1~dfsg-2+deb9u1_amd64.deb 716b1863577965196e54de64b8b78af0 1399314 debug extra asterisk-ooh323-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 5cb2044470744c9951df8bf5a54988aa 1058338 comm optional asterisk-ooh323_13.14.1~dfsg-2+deb9u1_amd64.deb 8a49d668553539639b1d5d1ab4e7439c 210360 debug extra asterisk-voicemail-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb e86ea5cd3eb4ba3369e4037c342103e5 246734 debug extra asterisk-voicemail-imapstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d24e0ded17ac7e3da6ba29fe3a83e9cc 822656 comm optional asterisk-voicemail-imapstorage_13.14.1~dfsg-2+deb9u1_amd64.deb ed69d359f683fa7fb15ec34b6ce4ca0f 221848 debug extra asterisk-voicemail-odbcstorage-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb 3065f5da3fbf71442da925a7fc025920 811788 comm optional asterisk-voicemail-odbcstorage_13.14.1~dfsg-2+deb9u1_amd64.deb 946c0f6346c2af086a8a440e02854b0f 806008 comm optional asterisk-voicemail_13.14.1~dfsg-2+deb9u1_amd64.deb 8163949fa4b1ad556540e1cc9bb889ed 66014 debug extra asterisk-vpb-dbgsym_13.14.1~dfsg-2+deb9u1_amd64.deb d0fa3cd9d2e1fe34dd623158bd2a34af 746378 comm optional asterisk-vpb_13.14.1~dfsg-2+deb9u1_amd64.deb 9036f8df8f5c85690367bee3653d0321 26743 comm optional asterisk_13.14.1~dfsg-2+deb9u1_amd64.buildinfo 24d6f0310762a1a0c69b800965438d39 2213966 comm optional asterisk_13.14.1~dfsg-2+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlmtEC8RHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJPGYw/9FpIPiEzcenxdN/94UTrLSsuS4GwG7WMy 0zkGthml+bsd/B0S9KwBSHpFi9MQdeq6OcEdyrRJF7BncXUqnSU+MB/IlBk0Svdx 5IWEVNtNUZzf1GA/KQtwnDJnCHksC/ahdh8CQrs+/5keZzcR4M0Q/6UNwiADlp8l sLZi4kfCXDgTEJ0q8z9fvbKCCS0r+kjb4DIiHYxrc7u8rRaQYkwcS3zUxJSqpS5C 86gxa9iUEZ7I9uezsTAnOKCy5TIlrOCucHumns7thlyOcsZajBULTkYzun5lAoQH e8bEYlio+bg3r6vooW+Mb1aCygctLSia2fbgLv9SmNyGy6ZpFCVuK2HzE4ro8MFE OKV5hcV5U40dkOlNbWWCW3s9bwRqmUA618qCfjLy9oja2iMF2qVE/ThGBipH/4ue gsO9W4fmMGJgIfxDGdZKU+yPMvla3qwd2iJ3B8twpYYQxttZpGECCfKxFCFdbwG5 Ne/SM11/6QDrm0Ba5TlcHZGSdH3MKm5gegXjfn0UX6l9Kuj7HXxqSnDZnURkb7hY hmR2CfOg/bfOtHRRUUH0AQR6Po8H/iVdE07c4CCWm+FJx0+jsZJJDyxTt2Nfuhz7 mEebXzR/Z5hFHuIvdTmEnirnOZemeaKtAbz7+PLG7S9T8qOloXzOalu2pdMEjvR1 EAZVCVYu+28= =ed1J -----END PGP SIGNATURE-----
--- End Message ---
