Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4526 asterisk security update for Debian LTS 2 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: asterisk Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: None CVE Names: CVE-2019-18790 CVE-2019-18610 CVE-2019-13161 Reference: ESB-2019.4421 ESB-2019.2571 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/11/msg00038.html second message URL unavailable at time of publishing Comment: Note that as of DLA 2017-2, the fix has been reverted due to a regression and another fix will be provided. This bulletin contains two (2) Debian security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : asterisk Version : 1:11.13.1~dfsg-2+deb8u7 CVE ID : CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 Several vulnerabilites are fixed in Asterisk, an Open Source PBX and telephony toolkit. CVE-2019-13161 An attacker was able to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. CVE-2019-18610 Remote authenticated Asterisk Manager Interface (AMI) users without system authorization could execute arbitrary system commands. CVE-2019-18790 A SIP call hijacking vulnerability. For Debian 8 "Jessie", these problems have been fixed in version 1:11.13.1~dfsg-2+deb8u7. We recommend that you upgrade your asterisk packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl3i15gACgkQiNJCh6LY mLGqxQ//aM0G1zUudUdnVDXvyZw+hlCG1D6YbagtB+4uqCccz7mRVAW2TenRSVRQ mOIeKZgrK5z+tj+oROs2ppeCi3+7LSUWAsBUIdR9FRaW7qI71bUvMYddTte9I1/8 DP9ZJEYizODxfwlBgXv+gq57Jsot053M18BaIfTiAq76RD9c4+C1N9Pvhda0PRi+ UePv/s6yxn/7Xb5oOa+Men8XZv9tTZ+WsOvYpj1WSv6q22Q3C0eni4AUEL9MCfu6 WrNf/2Ndgk/T3BiNfYYWVKvs28ZLTQqo2Vgg3YqvSsaxPzphixtwJ3WiGBaE35T3 VsVn7x9VAb58fw7ty0cYhbL4pqrGjc8W78dqvb1eZqw/4SEoVnWVxQI2EazP8EbW h3AHrV04afmGgBPQO2PnUz1q8O0tHp+s8fCSvvdu0Qv904Ez9QD8vByx1klcolWn +qz16KKmQ1MAfDoyuCHsARZYpN6d8Ra8OCmAwrtn0trmdGag9MQswr6b7QbVLQG+ 7GV9NJNzmtGsvDx+e5HUW5NuJYsO/xF2GhB/QQE4yEjEZY3Ms7GfgmXXL9mXhq6z zC5S9oziNohH8IZCfxgh2PPSI+AkDglrQ12R9uKi/1OtP2aiFNj3MxhxCD2TkiT+ PKiwHlzybYJfwYW6vy7M1iZJxjrkkh2obH84rtiqsUp3bBIuyR0= =RUiS - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : asterisk Version : 1:11.13.1~dfsg-2+deb8u8 The backport of the CVE-2019-13161 fix caused a regression and has been reverted. For Debian 8 "Jessie", this problem has been fixed in version 1:11.13.1~dfsg-2+deb8u8. We recommend that you upgrade your asterisk packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS cu Adrian - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl3jyoQACgkQiNJCh6LY mLFEXw/+NV+STW0XFpA0Axr942F7X/TpPdr2UFIzzc++BAgV8m+Figbx/yx+wO4u 2U+Y+Wm4+msyYWXqbg3XItEndEnQNZ44w00QOv1YtYrTbq9s3/7ICDOJi0aeIznl RtWm08Re20IejuRyiK9Ba2VwQyE4JROjeGAYsXx82V6ua0FyHkg3uFeY0ylUjkII nGfX/OtCrptJRTTFtgFru4wsm+GAjGh+hLN9awO3Rc1X1yA8WpUAlk6LQcuOzwa4 cyi38oX06HsWsSWYGaPZqsp9Mvj04/clIj7Ccr5J6hFaMqyFZbgemGdnI7A8D6R4 8lS1qV7HhexTii42XpwQW6dmKUgW56wfViQGZuClJxcYGuVkeTmzG5/2G5iy/lM/ i/5BWqZvdK0eZ1URXLCcpJWVPMTojpMewX35nPTzGyfWcSwr03kQQJRo/XRNmRb9 YoTfrYoyYXB8Z/t4KdUo8zGs24SDWEN9rnwiV50AWqMBwQRdqgUDtXC2wX1K8cBX 5vbyumM4JY+oL8ErYgVY9/tx7vGnAkoqUX8/BXkYWKX1EGLo7BIIO1Z2fZu0DTOr Sy8DCDxl3pv/8YYGol/3cigO8LGBaai++ln0hC1Tgs60sxPYqgT8ef6HSVnjV8D/ GQYs4d6rY1byOLyCK2sc84rwXSyzUUm7gYkWKKEH5u2N1xyOKBo= =WtpI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXeR+VWaOgq3Tt24GAQixZBAAgRinfgiBy/wsSnf+aKI3Vc0IQhkRlv3E RBJ3zPzjmIQ8lI2OfRIcJIrJ7drB/bLBO/sqyzKfJIETAm7glwtyuauG8sG0X5w9 4TQLmTqYp82tbd54oSlhzJYPa/6OcsQODbYM3EP/Gx6WwAfrNPjx35E2zQEAVSjf ayDNJdSxtc+9DvOI/iRUKv+jVfxC3e4hZtf4UJKL2hbgOI+Kkz8r4fUXGptepsoa U55i2wL+zvMTNGv7Jf8vt1tf+y6NFwPplUnGlSq1OlrBoQu8F8b/yZVP6Qjw7NZ7 DIKPI3TVwExSenAzjTZLSTYV1On9K5BA0PLIyfJE2GJXA6II4/BEcnNZBcKWvPi+ /8lrGl2zl8cm2SaJ/HxNoxhsfaYa3nfIbQa8PjDUuoEojzb+FEkJdKa++Y+3gLO9 /sRFtUzjS8SiR70utg5fqdVFsMQBv9ScoVzGz3b5bIqjwT8aAz4gBtD25OjR88mm 2VF9YO9V1Cdbg9MPpoiR2FEpH9i0tN+fiJXfnVI1hLOgQ28T9F0m7rj6aoTEXjAh rJZZVtZl5BsITKhqPm880QQ+WG9UyvKXz8+jF1KKDBwMEypifP0Y/e9mc4ZLMy25 uGldZfcvezhKtakvlucWru+emJNB64+EUMrPvojNCYGdax7+4gQNL2r00O6/yABz Oaa8f9dITYM= =kGdD -----END PGP SIGNATURE-----