lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 22 Jul 2021 22:53:11 +0000
From: "Asterisk Security Team" <>
Subject: [FD] AST-2021-007: Remote Crash Vulnerability in PJSIP channel

               Asterisk Project Security Advisory - AST-2021-007

          Product        Asterisk                                             
          Summary        Remote Crash Vulnerability in PJSIP channel driver   
    Nature of Advisory   Denial of Service                                    
      Susceptibility     Remote Authenticated Sessions                        
         Severity        Moderate                                             
      Exploits Known     No                                                   
        Reported On      April 6, 2021                                        
        Reported By      Ivan Poddubny                                        
         Posted On       
      Last Updated On    July 6, 2021                                         
     Advisory Contact    Jcolp AT sangoma DOT com                             
         CVE Name        CVE-2021-31878                                       

      Description     When Asterisk receives a re-INVITE without SDP after    
                      having sent a BYE request a crash will occur. This      
                      occurs due to the Asterisk channel no longer being      
                      present while code assumes it is.                       
    Modules Affected  res_pjsip_session.c                                     

    Resolution  Upgrade to one of the fixed versions of Asterisk or apply     
                the appropriate patch.                                        

                               Affected Versions
             Product           Release Series  
      Asterisk Open Source          16.x       16.17.0, 16.18.0, 16.19.0      
      Asterisk Open Source          18.x       18.3.0, 18.4.0, 18.5.0         

                                  Corrected In
                   Product                              Release               
             Asterisk Open Source                   16.19.1, 18.5.1           

                              Patch URL                             Revision  Asterisk  
                                                                    16     Asterisk  


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                      

                                Revision History
          Date                 Editor                  Revisions Made         
    April 28, 2021     Joshua Colp              Initial revision              

               Asterisk Project Security Advisory - AST-2021-007
               Copyright �� 2021 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists