-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : asterisk Version : 1:1.8.13.1~dfsg1-3+deb7u7 CVE ID : CVE-2017-14100 Debian Bug : 873908
A security vulnerability was discovered in Asterisk, an Open Source PBX and telephony toolkit, that may lead to unauthorized command execution. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. For Debian 7 "Wheezy", these problems have been fixed in version 1:1.8.13.1~dfsg1-3+deb7u7. We recommend that you upgrade your asterisk packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlnWLZtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeT30RAAxy1GCwn6sUNgQuw7uprpVWmQenRGe20K41oKtRqyDRvlZ0LWyutOL/lf kagFYjxZNERC56qPNjhfnn3+mdBf75r7IzEup3+ygy7KdmcPM6WWEtDbl2+B6Cxx jzvZ8ZcMeHbeod6uWnk/ZzUvNdR/O6XmzyaRpJs+mrjrMxoycLMojdniWQeLN6qn aQ8X5lMkLiIfASoNF0ghJV89AuPugEu9gKnC4Ysew02R4W44/+nvWoEjlL+kgFrw 9wN5drUSFe/pg7PxaR1b/Yis69xBw923xufwi5zoduVcsrytzJ4BZ+f17VQO9LAT AWM6ohkuivSkDjTHmpJvujTgoQSP5I98puH6Xkok9Y65AD36NkfPVW/MmYFjd+xV 3znH6Gp5S4Ns3fPuivEuC4FR1Ov6WCJlO8CD/pLtShEZn4pwa3V6PjzthmZsD3mm 02sFptzp8IhFN7QJiwwjrAI+v1bbivhdr7c9Q5RVgRJ5bpRYc2/zcQi0umZMcAgY 6F+2ZTR8SWZm0kiiGTBBNBGtH9MVuqM4jBGkk+9slVLME4VUUpCTxLfuwvd3Z+6T 4hhEfGM7v19cXIZSEyVxVeVMeDgLbR8At6jOI1nLZ3RoVzsBq/DUw7q5CFxkMsCe y7/nYgIxF7yDojLdd5ctzm8wRx3a3YrNQZE+6jz2MrQCbR6hmtU= =nbBW -----END PGP SIGNATURE-----
