On Sat, Nov 03, 2018 at 03:54:23PM +0100, Hiltjo Posthuma wrote: > On Sat, Nov 03, 2018 at 03:13:05PM +0100, Sebastien Marie wrote: > Hi, > > I don't use this particular software,
it is a bit a thread hijack... > but I am working on a automated CVE > checker similar to pkg audit on NetBSD, FreeBSD. It parses the FreeBSD VuXML > and compares the version ranges against a package list like /usr/ports/INDEX > or > pkg_info. the package is about pjsua/pjsip/pjproject. It would help if your references are linked to pjproject instead of Asterisk. > I think this package was affected by the following issues: > > https://downloads.asterisk.org/pub/security/AST-2018-002.html I only looked at the first issue your mentioned. CVE-2018-1000098 By crafting an SDP message with an invalid media format description Asterisk crashes when using the pjsip channel driver because pjproject's sdp parsing algorithm fails to catch the invalid media format description. For that, looking at pjproject, I found it: issue: https://trac.pjsip.org/repos/ticket/2093 fix: https://trac.pjsip.org/repos/changeset/5741 As I am not really familiar with svn and/or track, I manually check if pjproject-2.8 has the fix applied. And it is. so the update to 2.8 don't have the issue. the package isn't affected by the issue. > https://downloads.asterisk.org/pub/security/AST-2017-009.html > https://downloads.asterisk.org/pub/security/AST-2017-002.html > https://downloads.asterisk.org/pub/security/AST-2016-005.html thanks. -- Sebastien Marie
