| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f1551264-526d-4eb6-6ade-14598b9956d1@sangoma.com> Date: Thu, 05 Sep 2024 17:02:09 +0000 From: Asterisk Development Team via Fulldisclosure <fulldisclosure@...lists.org> To: asterisk-dev@...ups.io, voipsec@...psa.org, fulldisclosure@...lists.org, asterisk+news@...coursemail.com Cc: Asterisk Development Team <asteriskteamsa@...goma.com> Subject: [FD] Asterisk Security Release 20.9.3 The Asterisk Development Team would like to announce security release Asterisk 20.9.3. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/20.9.3 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 20.9.3 ## Change Log for Release asterisk-20.9.3 ### Links: - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-20.9.3.md) - [GitHub Diff](https://github.com/asterisk/asterisk/compare/20.9.2...20.9.3) - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-20.9.3.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) ### Summary: - Commits: 1 - Commit Authors: 1 - Issues Resolved: 0 - Security Advisories Resolved: 1 - [GHSA-v428-g3cw-7hv9](https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9): A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used ### User Notes: ### Upgrade Notes: ### Commit Authors: - George Joseph: (1) ## Issue and Commit Detail: ### Closed Issues: - !GHSA-v428-g3cw-7hv9: A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used ### Commits By Author: - #### George Joseph (1): - res_resolver_unbound: Test for NULL ub_result in unbound_resolver_callback ### Commit List: - res_resolver_unbound: Test for NULL ub_result in unbound_resolver_callback ### Commit Details: #### res_resolver_unbound: Test for NULL ub_result in unbound_resolver_callback Author: George Joseph Date: 2024-08-12 The ub_result pointer passed to unbound_resolver_callback by libunbound can be NULL if the query was for something malformed like `.1` or `[.1]`. If it is, we now set a 'ns_r_formerr' result and return instead of crashing with a SEGV. This causes pjproject to simply cancel the transaction with a "No answer record in the DNS response" error. The existing "off nominal" unit test was also updated to check this condition. Although not necessary for this fix, we also made ast_dns_resolver_completed() tolerant of a NULL result. Resolves: GHSA-v428-g3cw-7hv9 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists