On Sat, Nov 03, 2018 at 04:33:21PM +0100, Sebastien Marie wrote: > On Sat, Nov 03, 2018 at 03:54:23PM +0100, Hiltjo Posthuma wrote: > > On Sat, Nov 03, 2018 at 03:13:05PM +0100, Sebastien Marie wrote: > > Hi, > > > > I don't use this particular software, > > it is a bit a thread hijack... > > > but I am working on a automated CVE > > checker similar to pkg audit on NetBSD, FreeBSD. It parses the FreeBSD VuXML > > and compares the version ranges against a package list like > > /usr/ports/INDEX or > > pkg_info. > > the package is about pjsua/pjsip/pjproject. It would help if your > references are linked to pjproject instead of Asterisk. > > > I think this package was affected by the following issues: > > > > https://downloads.asterisk.org/pub/security/AST-2018-002.html > > I only looked at the first issue your mentioned. > > CVE-2018-1000098 > > By crafting an SDP message with an invalid media format > description Asterisk crashes when using the pjsip channel driver > because pjproject's sdp parsing algorithm fails to catch the > invalid media format description. > > For that, looking at pjproject, I found it: > issue: https://trac.pjsip.org/repos/ticket/2093 > fix: https://trac.pjsip.org/repos/changeset/5741 > > As I am not really familiar with svn and/or track, I manually check if > pjproject-2.8 has the fix applied. > > And it is. so the update to 2.8 don't have the issue. the package isn't > affected by the issue. > > > https://downloads.asterisk.org/pub/security/AST-2017-009.html > > https://downloads.asterisk.org/pub/security/AST-2017-002.html > > https://downloads.asterisk.org/pub/security/AST-2016-005.html > > thanks. > -- > Sebastien Marie
OK, I'm sorry for the noise. -- Kind regards, Hiltjo