[SECURITY] [DLA 1122-1] asterisk security update

2017-10-0513:03:23

lists.debian.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.961 High

EPSS

Percentile

99.5%

JSON

Package : asterisk
Version : 1:1.8.13.1~dfsg1-3+deb7u7
CVE ID : CVE-2017-14100
Debian Bug : 873908

A security vulnerability was discovered in Asterisk, an Open
Source PBX and telephony toolkit, that may lead to unauthorized
command execution.

The app_minivm module has an "externnotify" program configuration option
that is executed by the MinivmNotify dialplan application. The
application uses the caller-id name and number as part of a built
string passed to the OS shell for interpretation and execution. Since
the caller-id name and number can come from an untrusted source, a
crafted caller-id name or number allows an arbitrary shell command
injection.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.8.13.1~dfsg1-3+deb7u7.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9mipselasterisk-ooh323< 1:13.14.1~dfsg-2+deb9u1asterisk-ooh323_1:13.14.1~dfsg-2+deb9u1_mipsel.deb
Debian9amd64asterisk-dahdi-dbgsym< 1:13.14.1~dfsg-2+deb9u1asterisk-dahdi-dbgsym_1:13.14.1~dfsg-2+deb9u1_amd64.deb
Debian8amd64asterisk< 1:11.13.1~dfsg-2+deb8u3asterisk_1:11.13.1~dfsg-2+deb8u3_amd64.deb
Debian9arm64asterisk-voicemail-imapstorage-dbgsym< 1:13.14.1~dfsg-2+deb9u1asterisk-voicemail-imapstorage-dbgsym_1:13.14.1~dfsg-2+deb9u1_arm64.deb
Debian9armhfasterisk-voicemail-odbcstorage< 1:13.14.1~dfsg-2+deb9u1asterisk-voicemail-odbcstorage_1:13.14.1~dfsg-2+deb9u1_armhf.deb
Debian9arm64asterisk-voicemail-odbcstorage< 1:13.14.1~dfsg-2+deb9u1asterisk-voicemail-odbcstorage_1:13.14.1~dfsg-2+deb9u1_arm64.deb
Debian9i386asterisk-mobile< 1:13.14.1~dfsg-2+deb9u1asterisk-mobile_1:13.14.1~dfsg-2+deb9u1_i386.deb
Debian8i386asterisk-voicemail< 1:11.13.1~dfsg-2+deb8u3asterisk-voicemail_1:11.13.1~dfsg-2+deb8u3_i386.deb
Debian9armelasterisk< 1:13.14.1~dfsg-2+deb9u1asterisk_1:13.14.1~dfsg-2+deb9u1_armel.deb
Debian8powerpcasterisk-voicemail-odbcstorage< 1:11.13.1~dfsg-2+deb8u3asterisk-voicemail-odbcstorage_1:11.13.1~dfsg-2+deb8u3_powerpc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	mipsel	asterisk-ooh323	< 1:13.14.1~dfsg-2+deb9u1	asterisk-ooh323_1:13.14.1~dfsg-2+deb9u1_mipsel.deb
Debian	9	amd64	asterisk-dahdi-dbgsym	< 1:13.14.1~dfsg-2+deb9u1	asterisk-dahdi-dbgsym_1:13.14.1~dfsg-2+deb9u1_amd64.deb
Debian	8	amd64	asterisk	< 1:11.13.1~dfsg-2+deb8u3	asterisk_1:11.13.1~dfsg-2+deb8u3_amd64.deb
Debian	9	arm64	asterisk-voicemail-imapstorage-dbgsym	< 1:13.14.1~dfsg-2+deb9u1	asterisk-voicemail-imapstorage-dbgsym_1:13.14.1~dfsg-2+deb9u1_arm64.deb
Debian	9	armhf	asterisk-voicemail-odbcstorage	< 1:13.14.1~dfsg-2+deb9u1	asterisk-voicemail-odbcstorage_1:13.14.1~dfsg-2+deb9u1_armhf.deb
Debian	9	arm64	asterisk-voicemail-odbcstorage	< 1:13.14.1~dfsg-2+deb9u1	asterisk-voicemail-odbcstorage_1:13.14.1~dfsg-2+deb9u1_arm64.deb
Debian	9	i386	asterisk-mobile	< 1:13.14.1~dfsg-2+deb9u1	asterisk-mobile_1:13.14.1~dfsg-2+deb9u1_i386.deb
Debian	8	i386	asterisk-voicemail	< 1:11.13.1~dfsg-2+deb8u3	asterisk-voicemail_1:11.13.1~dfsg-2+deb8u3_i386.deb
Debian	9	armel	asterisk	< 1:13.14.1~dfsg-2+deb9u1	asterisk_1:13.14.1~dfsg-2+deb9u1_armel.deb
Debian	8	powerpc	asterisk-voicemail-odbcstorage	< 1:11.13.1~dfsg-2+deb8u3	asterisk-voicemail-odbcstorage_1:11.13.1~dfsg-2+deb8u3_powerpc.deb