ESB-2018.1070 - [Debian] pjproject: Denial of service - Existing account 2018-04-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1070
                         pjproject security update
                               10 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           pjproject
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000099 CVE-2018-1000098 CVE-2017-16875
                   CVE-2017-16872  

Reference:         ESB-2018.0586.2

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4170

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4170-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 09, 2018                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : pjproject
CVE ID         : CVE-2017-16872 CVE-2017-16875 CVE-2018-1000098
                 CVE-2018-1000099

Multiple vulnerabilities have been discovered in the PJSIP/PJProject
multimedia communication which may result in denial of service during
the processing of SIP and SDP messages and ioqueue keys.

For the stable distribution (stretch), these problems have been fixed in
version 2.5.5~dfsg-6+deb9u1.

We recommend that you upgrade your pjproject packages.

For the detailed security status of pjproject please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pjproject

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlrL0/0ACgkQEMKTtsN8
Tjb24Q//Tf+mgNJCFCH34I3wEO59joHw6/pytj587BrFiC6tE91ueYf2gMvoFyGM
9t3o1XMKxox2AQdoDkLJ5AHRGWm2rfgpe0Udog/W9deAG/U6eISTs7roisB58O58
iQ32rHPCBUyqxvPC8fks3BXiBUDbNoRiYiXTpqzfN/Rj3T0s33HCeHgq/LJVM4f9
cbM70HlG3Nb6LRmtXkSUTOv0enblHy/Hi98YfO4xR02bY1bnQLePWPG2bcC0rpWs
c9DxboRsh949yCH+5YK/4XiW1zX96SFlriX+uB6OiiWfzvdl/O5iUDa1Ccf8BorM
lANbeMuhfpTYfMIKP2/MkDCUJpMqZQ53VTX0GYCD4QDd4olyNpvdXNzyg53GIeBW
y1SAeF3J4ygURQQKbLARbStLGWEuW5f8b8lu9Cp1dtS/iwFlHFEUAB+m8jDqtI9k
q4hDLgtaR3c9x+XNH63EgVrga7fHQ332sDfh4o6vItsfs1FjtPeM89kbq4Fh8PnE
GJXFmggtuXpezhrgPrUnJwhzkbxRpd804ulY464izTJRTMIUvv7CcRH31Kn58DwC
Mt8417Lgi0jEDMCEYCOZjXL62EOM84qTHpWHZ4sFsubIzf1DZY6mW7Yghz1LzqLm
7+k9DG+9etDaNvxrM5nkfaeMbpedVSymqikqC6a2/tP8xDBp38k=
=wjk0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWsxCiYx+lLeg9Ub1AQjIuQ/+MP5sNHqHd8PcUMih+0hZx2MklfeVieJG
PAam1OvWnOJxt3QCcxJSspu2UjkSroEwNewBSQZwgkzXZMoIo7BiyKE/+eu/SqAa
vwo3DVyK3/imsvNC0NMCKsFOLGIHJKX3iNSOHwrpPvtW6EriVoaakrJGYQm9L0zN
7H4hY+wmXZ6D31SeRhuGq+jhDBPvyU7f2ipJMGr3EenK6yEbISoxsfxsCVqXVTs5
KQllme+jwL9HD9Zl8UoYyW9vtOFE7aixtvWj+mVVrvVRxZhvvjX3zh9PS6IX++Mw
yB4McbYm2VGQW/+vSdjD6PMwOh9JVK2GOxzMra/ZIskEsya67Co0oeiEipaCcDq5
gEG27W5Dr4wA9j/KSPyYDAzLOtvKyDFesi88I8BK+P4+nZdXdYimXmDYlH5Z12ne
s0BA2L0lIjpCNLDqZWEupXuqAsZakcgk7jrvQUB51isqGT+6i0dDg8+XPjAFWyoX
OxxzXNlRrqtSdIH7oGO0fMVOSM+s7ITNzSyMLkbjFV/1B1twMasdASBN0tfgays4
DFM4iTyaKeI666aAZJ4b3zQ5W4p8V2pEOpNDMc8oYA4RXQcrgAtSwIlqkWiuckOH
HHt6YhejNIUXxT9bbSlHO9Gyl3bfJk7F3Vsr//uvj+K+v2qgseu5nF9I1UyqA+hS
CxxkAZ8lSLA=
=WMZ5
-----END PGP SIGNATURE-----

« Back to bulletins