ESB-2018.0027 - [UNIX/Linux][Debian] asterisk: Multiple vulnerabilities - 2018-01-02


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0027
                         asterisk security update
                              2 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           asterisk
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-17664 CVE-2017-17090 CVE-2017-16672
                   CVE-2017-16671  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4076

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running asterisk check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4076-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 30, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : asterisk
CVE ID         : CVE-2017-16671 CVE-2017-16672 CVE-2017-17090
                 CVE-2017-17664

Multiple vulnerabilities have been discovered in Asterisk, an open source
PBX and telephony toolkit, which may result in denial of service,
information disclosure and potentially the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:11.13.1~dfsg-2+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1:13.14.1~dfsg-2+deb9u3.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlpHfvoACgkQEMKTtsN8
TjbVTw//WQnjr2TFJNA/FVO5PHrR1M0RaX446qXnWtdF1kkQoIpZEvetf0keEq4H
BUdl5paTKdDruXv8T/i4EEeHLZfv2zTWzLmPCk6bv/WosHEQ62Z5WAyEslwPZY2/
EwnGBfrBgGgUT4kLSgbclhMDTq4T07baPE4X2bBNF3ExGucQ/mtP6pXwDf1Fb57e
mU5risE0uSkFQVAkIU0rT7S0R6Qoksok9IJaBHQI+8AMzkfAb2ZFqTSx6iK2Fc2p
Pvqfd2DTTqEpjudporkaEfUimaIvMXmU9Coh6OomqPWFcY72O0GwtBEn1/DOWW2Z
bsrmpQUjpMjvUW7auTf4BdxKSGw4BCgESsJoHoN1U+h6Lt0Q68zLYdLLfYuKOS+k
B0pz9Sf8bjBc9aWEmWK3KV3a9lT+NM8faLVJWeubs6m3K+qOECbtVs1NZfRjyUl0
1zIf1vtLvu5QzOH3mFnsjwtPl35XfcId74s08zucQWS1aIWzazpQ8biDhffPpYmF
6iCUiw56UnZ3vjmFl8cBJbiFJX+adY9mcJgI+f05xBNChtP5sBVZgMBL8diTkCF5
deRm35lcp6OLaNSVgahdso60BfOi1KnWNSgZUdU74yvP8gZypIkPaVH4X7lixgrH
hZJlOpvO/ywbfC5uh6eJNQ15xfPVx4r9L9vjpH5xGAF/58Qx2Lw=
=EMwy
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWksOfYx+lLeg9Ub1AQiIsw/9E8dy4U/a4yYJv6pJfm6S/3egCNHgi7bL
2LxM23Q8WThy13orSRZ+QOURBNR5UYM6Xt6jPZ1ZilQnjB7MIo2/McVPdqvDVyn4
la+mghSUnhZ38Y8OBfjXKvtJPX9kD/yKCCZPmEO8nHaFcGrNK8pBAEqpy2GQzfhE
5fj9xpElUvPEn0ABSiPPQ3Cr4QUn33P1UgkFy0jq716cueP043Uuni7Be5rDCXJd
gOInlPFmfrQdxflESkJcWyHXwnEXYpZT1Jj+JPU9a1lCobP7rHTtDfWfYrW1SaHa
PP6gIZTfVnCJSqppKZPOxTVDUDNpiR1PBSY2TtpQ/MX9aE8Hh3iG8zYVhZ7DY3fo
ehJCl66aWWGuqztcSgtjLMf8jyJ2fN7lqBNhoSEUR3eUnFc8xU928bMrQ87YaVNn
3riLcSnRsFamjxjCqWvDWthPfYTa3ZJkC6DysSzg5H3OEjY7VdjP4nrH/evwzjAV
JTrpMUwU7wUSaH1HlEvQmb/7xL4IqCATB+eTRL8XW7/iEG2cE8YbLPkxTK+yrgQZ
TuE27rB7eyQxGQg3jJUNw3elWUwuJE05cwiEvxyWjAM994gsk9qrJIaeLNO2R6Lc
AmalaR4GuGBblGaCibgxgPuH7gAEozvSo4mOjnGFNr/wl/NSqk6Gu2LBHaK0R8Pd
vTJt3qtQrgc=
=B+j+
-----END PGP SIGNATURE-----