Source: asterisk Version: 1:16.15.1~dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for asterisk, filling as RC but this might not be warranted, if you feel otherwise please downgrade. I made it such because of the unauthenticated vector. CVE-2021-26906[0]: | An issue was discovered in res_pjsip_session.c in Digium Asterisk | through 13.38.1; 14.x, 15.x, and 16.x through 16.16.0; 17.x through | 17.9.1; and 18.x through 18.2.0, and Certified Asterisk through | 16.8-cert5. An SDP negotiation vulnerability in PJSIP allows a remote | server to potentially crash Asterisk by sending specific SIP responses | that cause an SDP negotiation failure. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26906 [1] https://downloads.asterisk.org/pub/security/AST-2021-005.html Please adjust the affected versions in the BTS as needed. Regards, salvatore