Your message dated Tue, 25 Sep 2018 09:04:13 +0000 with message-id <e1g4jgp-0002i6...@fasolo.debian.org> and subject line Bug#909554: fixed in asterisk 1:13.23.1~dfsg-1 has caused the Debian Bug report #909554, regarding asterisk: CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 909554: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909554 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: asterisk Version: 1:13.22.0~dfsg-2 Severity: grave Tags: security upstream Hi, The following vulnerability was published for asterisk. CVE-2018-17281[0]: | There is a stack consumption vulnerability in the | res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x | through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through | 13.21-cert2. It allows an attacker to crash Asterisk via a specially | crafted HTTP request to upgrade the connection to a websocket. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17281 [1] http://downloads.asterisk.org/pub/security/AST-2018-009.html [2] https://issues.asterisk.org/jira/browse/ASTERISK-28013 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: asterisk Source-Version: 1:13.23.1~dfsg-1 We believe that the bug you reported is fixed in the latest version of asterisk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 909...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <be...@debian.org> (supplier of updated asterisk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Sep 2018 09:59:08 +0200 Source: asterisk Binary: asterisk asterisk-modules asterisk-dahdi asterisk-vpb asterisk-voicemail asterisk-voicemail-imapstorage asterisk-voicemail-odbcstorage asterisk-ooh323 asterisk-mp3 asterisk-mysql asterisk-mobile asterisk-tests asterisk-doc asterisk-dev asterisk-config Architecture: source Version: 1:13.23.1~dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> Changed-By: Bernhard Schmidt <be...@debian.org> Description: asterisk - Open Source Private Branch Exchange (PBX) asterisk-config - Configuration files for Asterisk asterisk-dahdi - DAHDI devices support for the Asterisk PBX asterisk-dev - Development files for Asterisk asterisk-doc - Source code documentation for Asterisk asterisk-mobile - Bluetooth phone support for the Asterisk PBX asterisk-modules - loadable modules for the Asterisk PBX asterisk-mp3 - MP3 playback support for the Asterisk PBX asterisk-mysql - MySQL database protocol support for the Asterisk PBX asterisk-ooh323 - H.323 protocol support for the Asterisk PBX - ooH323c asterisk-tests - internal test modules of the Asterisk PBX asterisk-voicemail - simple voicemail support for the Asterisk PBX asterisk-voicemail-imapstorage - IMAP voicemail storage support for the Asterisk PBX asterisk-voicemail-odbcstorage - ODBC voicemail storage support for the Asterisk PBX asterisk-vpb - VoiceTronix devices support for the Asterisk PBX Closes: 909554 Changes: asterisk (1:13.23.1~dfsg-1) unstable; urgency=medium . * New upstream version 13.23.1~dfsg - CVE-2018-17281 / AST-2018-009 (Closes: #909554) Remote crash vulnerability in HTTP websocket upgrade * Add lintian overrides for modules Checksums-Sha1: 32db7e38d4fc81b96069160ca313d56f75d5dfb3 4239 asterisk_13.23.1~dfsg-1.dsc cd5d34dc001e15da3f8fb79276a3bd3e250cd568 6329096 asterisk_13.23.1~dfsg.orig.tar.xz 541ebff3b20d353df2993dea839a5f0129d1853d 128332 asterisk_13.23.1~dfsg-1.debian.tar.xz 70958c055d4e98cb599915409bbd4a53d29efc9d 28317 asterisk_13.23.1~dfsg-1_amd64.buildinfo Checksums-Sha256: 219ece13e1c15a59902c4ceb1711f1efb6b560925aacd298c6ad6f20d4882243 4239 asterisk_13.23.1~dfsg-1.dsc 7b785eeb9e7aab164eac3a0ae66dabf151fc3cb070ed3f08fc4c39ade2a0b3bb 6329096 asterisk_13.23.1~dfsg.orig.tar.xz 49cf92228a2e65429fceed8dbad01953b25a7e7c29843c6d3b5469cfa03e3c5e 128332 asterisk_13.23.1~dfsg-1.debian.tar.xz 71d611103613256bba7e8e45c98e5c629b36296a2f2ecfa5ee5f804b56ada017 28317 asterisk_13.23.1~dfsg-1_amd64.buildinfo Files: b05cb26a24e80ecac4a8bbe5181b5d1b 4239 comm optional asterisk_13.23.1~dfsg-1.dsc 095b4d9885d12e31732f6a57ef8a7989 6329096 comm optional asterisk_13.23.1~dfsg.orig.tar.xz ffbbaa98c2d1364efab5b0c8351bf379 128332 comm optional asterisk_13.23.1~dfsg-1.debian.tar.xz 0fce047a79045f1946f240ca7820eef7 28317 comm optional asterisk_13.23.1~dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlup9GARHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJMfqA/+LxqgosPvRiln6JwhmVSUJ82Jy5HEqf7N 90Ya+RrnpDVu7UVRKDkXV5A+UCaYwV9tESbGjWIoI2dLtMi37usPxdHxAN8H8jpk MCcSNCsYE/nNu1v9Xw343956ExTXjCO37EDd7UrPwAMT6RoJqm4Zfzwx+wdO5rhv 1L9+aYQtjcd8yz3QqpvuJNAc4OZVNBpKSnQGIOB66sVSBLmcQldB5diTlfn9SLjB O/IpMOxbqg0LdVtZZo1i7irX3VPBAkwE9XpgAXTTzZlidWVj3S9H3Gf1XSSm1LTs FcpyceEdf4MB7kshQraLqhs7xGIDn871/7Wf6Vvg/oS6WJ+tCFExIkhPCcVZcFZV FerBdpYIp5mQsjK6oQM/h219CMs8HXM0Tgj5DSO7B+IxMldW/Umy0DrnoPRrP0Cz 1UMbWfrwRX40aVm15dUyhhPdegJrV9FgxeGLyqm03T919wVG3Wz1h1+ieQ9dTWqt 5CQXkTzsL6PLE638t8cr4kVUgLgYI1xt3X5sqshNVsRkjGBIfFOqhH2crO1fpJMD XBIi91JIlt4SMEfpF+oSR9bjzGvUgIGa8v68HQ/1a3vBE1ay0ADoMjSzPKjgtqNF NTRA9moGxSFfsNYsSQHc5J0AfWnc7tjouruk3KwxRl7RM1wcPWYtUxpCbhSjp8oZ xc1Elmyh5uo= =MpM/ -----END PGP SIGNATURE-----
--- End Message ---
