[Buildroot] [PATCH] asterisk: security bump to version 14.6.2

Peter Korsgaard peter at korsgaard.com
Mon Jan 8 21:54:18 UTC 2018


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > 14.6.1:

 > * AST-2017-005 (applied to all released versions): The "strictrtp" option in
 >   rtp.conf enables a feature of the RTP stack that learns the source address
 >   of media for a session and drops any packets that do not originate from
 >   the expected address.  This option is enabled by default in Asterisk 11
 >   and above.  The "nat" and "rtp_symmetric" options for chan_sip and
 >   chan_pjsip respectively enable symmetric RTP support in the RTP stack.
 >   This uses the source address of incoming media as the target address of
 >   any sent media.  This option is not enabled by default but is commonly
 >   enabled to handle devices behind NAT.

 >   A change was made to the strict RTP support in the RTP stack to better
 >   tolerate late media when a reinvite occurs.  When combined with the
 >   symmetric RTP support this introduced an avenue where media could be
 >   hijacked.  Instead of only learning a new address when expected the new
 >   code allowed a new source address to be learned at all times.

 >   If a flood of RTP traffic was received the strict RTPsupport would allow
 >   the new address to provide media and with symmetric RTP enabled outgoing
 >   traffic would be sent to this new address, allowing the media to be
 >   hijacked.  Provided the attacker continued to send traffic they would
 >   continue to receive traffic as well.

 > * AST-2017-006 (applied to all released versions): The app_minivm module has
 >   an “externnotify” program configuration option that is executed by the
 >   MinivmNotify dialplan application.  The application uses the caller-id
 >   name and number as part of a built string passed to the OS shell for
 >   interpretation and execution.  Since the caller-id name and number can
 >   come from an untrusted source, a crafted caller-id name or number allows
 >   an arbitrary shell command injection.

 > * AST-2017-007 (applied only to 13.17.1 and 14.6.1): A carefully crafted URI
 >   in a From, To or Contact header could cause Asterisk to crash

 > For more details, see the announcement:
 > https://www.asterisk.org/downloads/asterisk-news/asterisk-11252-13171-1461-116-cert17-1313-cert5-now-available-security

 > 14.6.2:

 > * AST-2017-008: Insufficient RTCP packet validation could allow reading
 >   stale buffer contents and when combined with the “nat” and “symmetric_rtp”
 >   options allow redirecting where Asterisk sends the next RTCP report.

 >   The RTP stream qualification to learn the source address of media always
 >   accepted the first RTP packet as the new source and allowed what
 >   AST-2017-005 was mitigating.  The intent was to qualify a series of
 >   packets before accepting the new source address.

 > For more details, see the announcement:
 > https://www.asterisk.org/downloads/asterisk-news/asterisk-11253-13172-1462-116-cert18-1313-cert6-now-available-security

 > Drop 0004-configure-in-cross-complation-assimne-eventfd-are-av.patch as this
 > is now handled differently upstream (by disabling eventfd for cross
 > compilation, see commit 2e927990b3d2 (eventfd: Disable during cross
 > compilation)).  If eventfd support is needed then this should be submitted
 > upstream.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2017.11.x, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list