[3.7] asterisk: Multiple vulnerabilities (CVE-2017-16671, CVE-2017-16672, CVE-2017-17090, CVE-2017-17664, CVE-2017-17850)
CVE-2017-17090: DOS Vulnerability in Asterisk chan_skinny (3.7, 3.6-3.4)
If the chan_skinny (AKA SCCP protocol) channel driver is flooded with
certain requests it can cause the asterisk process
to use excessive amounts of virtual memory eventually causing asterisk
to stop processing requests of any kind.
Fixed In Version:
asterisk 13.18.3, asterisk 14.7.3, asterisk 15.1.3
References:
http://downloads.asterisk.org/pub/security/AST-2017-013.html
https://nvd.nist.gov/vuln/detail/CVE-2017-17090
CVE-2017-17664: Remote Crash Vulnerability in RTCP Stack
A Remote Crash issue was discovered in Asterisk Open Source 13.x before
13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4
and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets
cause a crash in the RTCP Stack.
Fixed In Version:
asterisk 13.18.4, asterisk 14.7.4, asterisk 15.1.4
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-17664
http://downloads.asterisk.org/pub/security/AST-2017-012.html
CVE-2017-17850: Crash in PJSIP resource when missing a contact header
An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older,
15.1.4 and older, and 13.18-cert1 and older. A select set of SIP
messages
create a dialog in Asterisk. Those SIP messages must contain a contact
header. For those messages, if the header was not
present and the PJSIP channel driver was used, Asterisk would crash.
Fixed In Version:
asterisk 13.18.5, 14.7.5, 15.1.5
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-17850
http://downloads.asterisk.org/pub/security/AST-2017-014.html
(from redmine: issue id 8353, created on 2017-12-28, closed on 2018-01-12)
- Relations:
- parent #8352 (closed)
- Changesets:
- Revision 81093561 by Timo Teräs on 2017-12-29T07:02:24Z:
main/asterisk: upgrade to 15.1.3
ref #8353
AST-2017-013 DOS Vulnerability in Asterisk chan_skinny
- Revision 7f5476f7 by Timo Teräs on 2017-12-29T07:02:34Z:
main/asterisk: upgrade to 15.1.4
ref #8353
AST-2017-012 Remote Crash Vulnerability in RTCP Stack
- Revision 5be88b86 by Timo Teräs on 2017-12-29T07:02:39Z:
main/asterisk: security upgrade to 15.1.5
fixes #8353
AST-2017-014 Crash in PJSIP resource when missing a contact header