Source: asterisk Version: 1:20.5.0~dfsg+~cs6.13.40431414-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for asterisk. CVE-2023-49786[0]: | Asterisk is an open source private branch exchange and telephony | toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; | as well as certified-asterisk prior to 18.9-cert6; Asterisk is | susceptible to a DoS due to a race condition in the hello handshake | phase of the DTLS protocol when handling DTLS-SRTP for media setup. | This attack can be done continuously, thus denying new DTLS-SRTP | encrypted calls during the attack. Abuse of this vulnerability may | lead to a massive Denial of Service on vulnerable Asterisk servers | for calls that rely on DTLS-SRTP. Commit | d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is | part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49786 https://www.cve.org/CVERecord?id=CVE-2023-49786 [1] https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq [2] https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05 Please adjust the affected versions in the BTS as needed. Regards, Salvatore