Headline
Debian Security Advisory 5438-1
Debian Linux Security Advisory 5438-1 - A flaw was found in Asterisk, an Open Source Private Branch Exchange. A buffer overflow vulnerability affects users that use PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record parse_query(), while the issue in CVE-2022-24793 is in parse_rr(). A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5438-1 [email protected]://www.debian.org/security/ Markus KoschanyJune 22, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : asteriskCVE ID : CVE-2023-27585Debian Bug : 1036697A flaw was found in Asterisk, an Open Source Private Branch Exchange. Abuffer overflow vulnerability affects users that use PJSIP DNS resolver.This vulnerability is related to CVE-2022-24793. The difference is thatthis issue is in parsing the query record `parse_query()`, while the issuein CVE-2022-24793 is in `parse_rr()`. A workaround is to disable DNSresolution in PJSIP config (by setting `nameserver_count` to zero) or usean external resolver implementation instead.For the oldstable distribution (bullseye), this problem has been fixedin version 1:16.28.0~dfsg-0+deb11u3.We recommend that you upgrade your asterisk packages.For the detailed security status of asterisk please refer toits security tracker page at:https://security-tracker.debian.org/tracker/asteriskFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSUwnRfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeRsCxAAuFfItEe6Gyu5VcJqSzHQpy+kfbBD1F6msFf7GnNzx4WiJssF5b4eVC4hIm6N4tW6S3YfoymUC4chFy9ifeH10HMruAlWik+h4v/TLEaeBps4UF6JmUkF8ra4ML3NT+vkdaLlFF7jtcDyTZXc0Vhy2wQ51EABX8bd7vUp39UObhZZw6+wJjrT6tCcP7wwMEOkoUCrg3llX/yvtpHqJiYo6yLrtEaoPpLvl2up6cx9FRvuK7E1B2hhPu0HoULxjphtz3Xmccw5kViC7zIo588GXCqIQW0/t6Uh0pYT1aWpWAfViMlpOtZx+PffpvFJy8Vizyp3MQ3yVZSOMrz68uOenXUkh9BbrdMw8AHbZgk/j8mKFbQhGJNfB2098BcmibGF3fPr0g6Ux6dGXlWUF1fMeuChmo5dylZhxmI4/M6wd5sqpHv4+RiEOM4XlROdlRQVToHIBGbwGvFAD7hiv6/wjmOXuY1NafqzCTyX1awMgKcQPqjPrUo1ugWyIQayIG2RhSKC/x8fUn1fr5+kA/KjvjH7pLtlvr2MWhOWV5ryUtuXdqGp5YWGZV5D2gA2sGeeGJgmAZfnzW6iY7/EZcLTnF1uWHGEk5cN/FQIObpqTqmSU2KOYWWmUOOVLAbko9P1aLCUNjj1WOzOMy29nbGBINnQquyW2DkhoaTYW6jjmPc==SDbp-----END PGP SIGNATURE-----
Related news
Ubuntu Security Notice 6422-2 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Ubuntu Security Notice 6422-1 - It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.
Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.
Gentoo Linux Security Advisory 202210-37 - Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. Versions less than 2.12.1 are affected.
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.