ESB-2018.2146 - [Win][UNIX/Linux][Debian] resiprocate: Multiple vulnerabilities 2018-07-25

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2146
                        resiprocate security update
                               25 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           resiprocate
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12584 CVE-2017-11521 

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1439-1

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running resiprocate check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : resiprocate
Version        : 1:1.9.7-5+deb8u1
CVE ID         : CVE-2017-11521 CVE-2018-12584


CVE-2018-12584
      A flaw in function ConnectionBase::preparseNewBytes of
      resip/stack/ConnectionBase.cxx has been detected, that
      allows remote attackers to cause a denial of service
      (buffer overflow) or possibly execute arbitrary code
      when TLS communication is enabled.

CVE-2017-11521
      A flaw in function SdpContents::Session::Medium::parse of
      resip/stack/SdpContents.cxx has been detected, that allows
      remote attackers to cause a denial of service (memory
      consumption) by triggering many media connections.


For Debian 8 "Jessie", these problems have been fixed in version
1:1.9.7-5+deb8u1.

We recommend that you upgrade your resiprocate packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJbV4hrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH+rYQAJmk3PjG2lgKSqa484D3szvS
tPc9rduMHF0uXn/1yqwde+oWM7zg0W5aa4h4hR4eYaBUGYN0uDux1DjmjEmivZO1
bR4LXtpYOoXX92cNKsfJ+FQghTuugziT0hHKjwRbKpeTd3URAmB6CHFeuypwwDUP
8g3fa1bGBRwAqkIPgIGmOwrRjiF7QcqhIDLtP1EdccFfE2xaZPvTnw7rKN8WJ1I/
Sef6uQbnyarkYNs8zsz4quEAtKMr75+qCBZQe7VAXCewT5bZUk4zw1GtGgXMXHjZ
tY6angq9R2rFLgM+rh8tRSlrt+dYliyqEO9YZ2CsB3ZmzhUtsOcaQzaG/1kQwAzE
Gh9ughPURm3aA8XhQeYEfw4PEZsf95sfMvIB24mhzTAi+brYsGwYe0UxfJlsI+bT
6tNf7vjpb+AXXyi0II13KhPhv88lJjSTUx/DzM34chbPdAOGlEyoREnUGe5vPV87
SvsX1uPD4fBERvsPQi2ZyQqp/cZR9dlxXyzUdg8Iduk8Qo494HBg0DrUKjmqBdrD
fWHWLd07ZV7e8+Z44IPfGGpAux+lJIwmOouyP+hXUlaszdy2JyiLK+HN1TVlL576
5CqwGqIZP/cCsaWlZK7xVgWAkAIvv57e1c0/t74+iFQgRo52QwNK/5DdXT9kV4zl
GFkZ5013wb5LHOg0zd25
=YNnK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW1fsEWaOgq3Tt24GAQjAgg//UEYduNJyboBe99al14OwTZ+va1Sq0NTx
nj5b2uMKypI2iiDnk6XiTvitcc6eiUCn5F2DIlCdOT8PJ5IyTrAhQtRaPIwnUkkX
G0+vwSp1RAjUxSxZlaOSfd4YGdvDhicJ93pTtE6HhSLYduRJm7bOyenSxZJpKP18
mIP+coypSJA8BGpIJIumxUcKuCZXT8GUmSWDwKcvHYzFFpCU4/NBPnLIKU1f8MOW
GNj9aaEtbFCQRVvzJnkhLAiAj86707Bq7WKv9O2Kr3d1mEjBiuEd8knVbNjjqqFL
WUKmOwNQPs/IB3fveoRWKnYxVa22kAXpmel+aC7ruukXO4WisEmVkdfthDyx6Ohu
I2ZhWhw+SK0epRGnerDa4iZ8H/kwJgDuD6I6OmKXJKw4kLhvs0Ay0hENTCfTcaGo
XqCTtXN3LtLBY/y55oinmXI25lBLJ3oQsp1/URqevkmyqnn1IK33F0ke2kt0x5Gn
TuXYQtEq1KRnb6NCGpePpXEg7Isnkg05fn3CwlDNo+9EQV48m2EeECdFvDDwS7oi
LtxZf+YBz/TdOJ++jLFwCcmyoSMTcY7KGnrlvZqL2vC9YpceshvLkTYFspdEmnS/
ZIMm8hZlSzc4lBZp1/n2VPjDb/AH5y3rsiu1+okZV/EjIZ6TJvwU/9jEbgDCoGEt
tS5WNzGv23U=
=dc0Z
-----END PGP SIGNATURE-----

« Back to bulletins