[SECURITY] [DLA 1523-1] asterisk security update

2018-09-2713:36:41

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.617 Medium

EPSS

Percentile

97.8%

JSON

Package : asterisk
Version : 1:11.13.1~dfsg-2+deb8u6
CVE ID : CVE-2018-17281
Debian Bug : 909554

Sean Bright discovered that Asterisk, a PBX and telephony toolkit,
contained a stack overflow vulnerability in the res_http_websocket.so
module that allowed remote attackers to crash Asterisk via specially
crafted HTTP requests to upgrade the connection to a websocket.

For Debian 8 "Jessie", this problem has been fixed in version
1:11.13.1~dfsg-2+deb8u6.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9s390xasterisk-mp3< 1:13.14.1~dfsg-2+deb9u4asterisk-mp3_1:13.14.1~dfsg-2+deb9u4_s390x.deb
Debian9mipsasterisk-voicemail-imapstorage< 1:13.14.1~dfsg-2+deb9u4asterisk-voicemail-imapstorage_1:13.14.1~dfsg-2+deb9u4_mips.deb
Debian9allasterisk-doc< 1:13.14.1~dfsg-2+deb9u4asterisk-doc_1:13.14.1~dfsg-2+deb9u4_all.deb
Debian9mipselasterisk-voicemail-dbgsym< 1:13.14.1~dfsg-2+deb9u4asterisk-voicemail-dbgsym_1:13.14.1~dfsg-2+deb9u4_mipsel.deb
Debian9mipselasterisk-vpb-dbgsym< 1:13.14.1~dfsg-2+deb9u4asterisk-vpb-dbgsym_1:13.14.1~dfsg-2+deb9u4_mipsel.deb
Debian9ppc64elasterisk-modules< 1:13.14.1~dfsg-2+deb9u4asterisk-modules_1:13.14.1~dfsg-2+deb9u4_ppc64el.deb
Debian9mipsasterisk-voicemail-imapstorage-dbgsym< 1:13.14.1~dfsg-2+deb9u4asterisk-voicemail-imapstorage-dbgsym_1:13.14.1~dfsg-2+deb9u4_mips.deb
Debian8amd64asterisk-vpb< 1:11.13.1~dfsg-2+deb8u6asterisk-vpb_1:11.13.1~dfsg-2+deb8u6_amd64.deb
Debian9amd64asterisk-mp3-dbgsym< 1:13.14.1~dfsg-2+deb9u4asterisk-mp3-dbgsym_1:13.14.1~dfsg-2+deb9u4_amd64.deb
Debian9armelasterisk-voicemail-imapstorage< 1:13.14.1~dfsg-2+deb9u4asterisk-voicemail-imapstorage_1:13.14.1~dfsg-2+deb9u4_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	s390x	asterisk-mp3	< 1:13.14.1~dfsg-2+deb9u4	asterisk-mp3_1:13.14.1~dfsg-2+deb9u4_s390x.deb
Debian	9	mips	asterisk-voicemail-imapstorage	< 1:13.14.1~dfsg-2+deb9u4	asterisk-voicemail-imapstorage_1:13.14.1~dfsg-2+deb9u4_mips.deb
Debian	9	all	asterisk-doc	< 1:13.14.1~dfsg-2+deb9u4	asterisk-doc_1:13.14.1~dfsg-2+deb9u4_all.deb
Debian	9	mipsel	asterisk-voicemail-dbgsym	< 1:13.14.1~dfsg-2+deb9u4	asterisk-voicemail-dbgsym_1:13.14.1~dfsg-2+deb9u4_mipsel.deb
Debian	9	mipsel	asterisk-vpb-dbgsym	< 1:13.14.1~dfsg-2+deb9u4	asterisk-vpb-dbgsym_1:13.14.1~dfsg-2+deb9u4_mipsel.deb
Debian	9	ppc64el	asterisk-modules	< 1:13.14.1~dfsg-2+deb9u4	asterisk-modules_1:13.14.1~dfsg-2+deb9u4_ppc64el.deb
Debian	9	mips	asterisk-voicemail-imapstorage-dbgsym	< 1:13.14.1~dfsg-2+deb9u4	asterisk-voicemail-imapstorage-dbgsym_1:13.14.1~dfsg-2+deb9u4_mips.deb
Debian	8	amd64	asterisk-vpb	< 1:11.13.1~dfsg-2+deb8u6	asterisk-vpb_1:11.13.1~dfsg-2+deb8u6_amd64.deb
Debian	9	amd64	asterisk-mp3-dbgsym	< 1:13.14.1~dfsg-2+deb9u4	asterisk-mp3-dbgsym_1:13.14.1~dfsg-2+deb9u4_amd64.deb
Debian	9	armel	asterisk-voicemail-imapstorage	< 1:13.14.1~dfsg-2+deb9u4	asterisk-voicemail-imapstorage_1:13.14.1~dfsg-2+deb9u4_armel.deb