-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4526
                  asterisk security update for Debian LTS
                              2 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           asterisk
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        None
CVE Names:         CVE-2019-18790 CVE-2019-18610 CVE-2019-13161

Reference:         ESB-2019.4421
                   ESB-2019.2571

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/11/msg00038.html
   second message URL unavailable at time of publishing

Comment: Note that as of DLA 2017-2, the fix has been reverted due to a
         regression and another fix will be provided.
         
         This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : asterisk
Version        : 1:11.13.1~dfsg-2+deb8u7
CVE ID         : CVE-2019-13161 CVE-2019-18610 CVE-2019-18790

Several vulnerabilites are fixed in Asterisk,
an Open Source PBX and telephony toolkit.

CVE-2019-13161
An attacker was able to crash Asterisk when handling an SDP answer to an 
outgoing T.38 re-invite.

CVE-2019-18610
Remote authenticated Asterisk Manager Interface (AMI) users without 
system authorization could execute arbitrary system commands.

CVE-2019-18790
A SIP call hijacking vulnerability.

For Debian 8 "Jessie", these problems have been fixed in version
1:11.13.1~dfsg-2+deb8u7.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl3i15gACgkQiNJCh6LY
mLGqxQ//aM0G1zUudUdnVDXvyZw+hlCG1D6YbagtB+4uqCccz7mRVAW2TenRSVRQ
mOIeKZgrK5z+tj+oROs2ppeCi3+7LSUWAsBUIdR9FRaW7qI71bUvMYddTte9I1/8
DP9ZJEYizODxfwlBgXv+gq57Jsot053M18BaIfTiAq76RD9c4+C1N9Pvhda0PRi+
UePv/s6yxn/7Xb5oOa+Men8XZv9tTZ+WsOvYpj1WSv6q22Q3C0eni4AUEL9MCfu6
WrNf/2Ndgk/T3BiNfYYWVKvs28ZLTQqo2Vgg3YqvSsaxPzphixtwJ3WiGBaE35T3
VsVn7x9VAb58fw7ty0cYhbL4pqrGjc8W78dqvb1eZqw/4SEoVnWVxQI2EazP8EbW
h3AHrV04afmGgBPQO2PnUz1q8O0tHp+s8fCSvvdu0Qv904Ez9QD8vByx1klcolWn
+qz16KKmQ1MAfDoyuCHsARZYpN6d8Ra8OCmAwrtn0trmdGag9MQswr6b7QbVLQG+
7GV9NJNzmtGsvDx+e5HUW5NuJYsO/xF2GhB/QQE4yEjEZY3Ms7GfgmXXL9mXhq6z
zC5S9oziNohH8IZCfxgh2PPSI+AkDglrQ12R9uKi/1OtP2aiFNj3MxhxCD2TkiT+
PKiwHlzybYJfwYW6vy7M1iZJxjrkkh2obH84rtiqsUp3bBIuyR0=
=RUiS
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : asterisk
Version        : 1:11.13.1~dfsg-2+deb8u8

The backport of the CVE-2019-13161 fix caused a regression and
has been reverted.

For Debian 8 "Jessie", this problem has been fixed in version
1:11.13.1~dfsg-2+deb8u8.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

cu
Adrian
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl3jyoQACgkQiNJCh6LY
mLFEXw/+NV+STW0XFpA0Axr942F7X/TpPdr2UFIzzc++BAgV8m+Figbx/yx+wO4u
2U+Y+Wm4+msyYWXqbg3XItEndEnQNZ44w00QOv1YtYrTbq9s3/7ICDOJi0aeIznl
RtWm08Re20IejuRyiK9Ba2VwQyE4JROjeGAYsXx82V6ua0FyHkg3uFeY0ylUjkII
nGfX/OtCrptJRTTFtgFru4wsm+GAjGh+hLN9awO3Rc1X1yA8WpUAlk6LQcuOzwa4
cyi38oX06HsWsSWYGaPZqsp9Mvj04/clIj7Ccr5J6hFaMqyFZbgemGdnI7A8D6R4
8lS1qV7HhexTii42XpwQW6dmKUgW56wfViQGZuClJxcYGuVkeTmzG5/2G5iy/lM/
i/5BWqZvdK0eZ1URXLCcpJWVPMTojpMewX35nPTzGyfWcSwr03kQQJRo/XRNmRb9
YoTfrYoyYXB8Z/t4KdUo8zGs24SDWEN9rnwiV50AWqMBwQRdqgUDtXC2wX1K8cBX
5vbyumM4JY+oL8ErYgVY9/tx7vGnAkoqUX8/BXkYWKX1EGLo7BIIO1Z2fZu0DTOr
Sy8DCDxl3pv/8YYGol/3cigO8LGBaai++ln0hC1Tgs60sxPYqgT8ef6HSVnjV8D/
GQYs4d6rY1byOLyCK2sc84rwXSyzUUm7gYkWKKEH5u2N1xyOKBo=
=WtpI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXeR+VWaOgq3Tt24GAQixZBAAgRinfgiBy/wsSnf+aKI3Vc0IQhkRlv3E
RBJ3zPzjmIQ8lI2OfRIcJIrJ7drB/bLBO/sqyzKfJIETAm7glwtyuauG8sG0X5w9
4TQLmTqYp82tbd54oSlhzJYPa/6OcsQODbYM3EP/Gx6WwAfrNPjx35E2zQEAVSjf
ayDNJdSxtc+9DvOI/iRUKv+jVfxC3e4hZtf4UJKL2hbgOI+Kkz8r4fUXGptepsoa
U55i2wL+zvMTNGv7Jf8vt1tf+y6NFwPplUnGlSq1OlrBoQu8F8b/yZVP6Qjw7NZ7
DIKPI3TVwExSenAzjTZLSTYV1On9K5BA0PLIyfJE2GJXA6II4/BEcnNZBcKWvPi+
/8lrGl2zl8cm2SaJ/HxNoxhsfaYa3nfIbQa8PjDUuoEojzb+FEkJdKa++Y+3gLO9
/sRFtUzjS8SiR70utg5fqdVFsMQBv9ScoVzGz3b5bIqjwT8aAz4gBtD25OjR88mm
2VF9YO9V1Cdbg9MPpoiR2FEpH9i0tN+fiJXfnVI1hLOgQ28T9F0m7rj6aoTEXjAh
rJZZVtZl5BsITKhqPm880QQ+WG9UyvKXz8+jF1KKDBwMEypifP0Y/e9mc4ZLMy25
uGldZfcvezhKtakvlucWru+emJNB64+EUMrPvojNCYGdax7+4gQNL2r00O6/yABz
Oaa8f9dITYM=
=kGdD
-----END PGP SIGNATURE-----