lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 Mar 2022 20:16:59 +0000 From: "Asterisk Security Team" <security@...erisk.org> To: fulldisclosure@...lists.org Subject: [FD] AST-2022-006: pjproject: unconstrained malformed multipart SIP message Asterisk Project Security Advisory - AST-2022-006 Product Asterisk Summary pjproject: unconstrained malformed multipart SIP message Nature of Advisory Out of bounds memory access Susceptibility Remote unauthenticated sessions Severity Minor Exploits Known Yes Reported On March 3, 2022 Reported By Sauw Ming Posted On March 4, 2022 Last Updated On March 3, 2022 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2022-21723 Description If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, it���s currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution. Modules Affected bundled pjproject Resolution If you use ���with-pjproject-bundled��� then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 16.24.1,18.10.1,19.2.1 Certified Asterisk 16.8-cert13 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-006-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-006-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-006-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-006-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-006.html https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-006.pdf and https://downloads.digium.com/pub/security/AST-2022-006.html Revision History Date Editor Revisions Made March 3, 2022 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2022-006 Copyright �� 2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists