#991931 CVE-2021-32686 / AST-2021-009: pjproject/pjsip: crash when SSL socket destroyed during handshake #991931
- Package:
- src:asterisk
- Source:
- asterisk
- Submitter:
- Bernhard Schmidt
- Date:
- 2022-07-01 17:03:11 UTC
- Severity:
- serious
- Tags:
https://downloads.asterisk.org/pub/security/AST-2021-009.html Summary: pjproject/pjsip: crash when SSL socket destroyed during handshake Nature of Advisory: Denial of service Susceptibility: Remote unauthenticated sessions Severity: Major Exploits Known: Yes Description | Depending on the timing, it’s possible for Asterisk to crash when using a TLS | connection if the underlying socket parent/listener gets destroyed during the | handshake.
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 991931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 06 Aug 2021 15:35:20 +0200
Source: asterisk
Architecture: source
Version: 1:16.16.1~dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 991710 991931
Changes:
asterisk (1:16.16.1~dfsg-2) unstable; urgency=high
.
* CVE-2021-32558 / AST-2021-008 (Closes: #991710)
If the IAX2 channel driver receives a packet that contains an unsupported
media format it can cause a crash to occur in Asterisk
* CVE-2021-32686 / AST-2021-009 (Closes: #991931)
pjproject/pjsip: crash when SSL socket destroyed during handshake
Checksums-Sha1:
fb0b4469160b4de496c70f11651d8200e78f54ed 4201 asterisk_16.16.1~dfsg-2.dsc
090a55a66d48f81af44ab87c05ff298f2f5b6904 5953392 asterisk_16.16.1~dfsg-2.debian.tar.xz
56f3f97ccdc63b567a1470e4e8177c73b87fc10d 27220 asterisk_16.16.1~dfsg-2_amd64.buildinfo
Checksums-Sha256:
101fed7a56cd8ff8134a259ab9ace703ec668d3a3c49ccfe8642660678039d1c 4201 asterisk_16.16.1~dfsg-2.dsc
e71bd3ba072e972fae139e4034b1cb754462d87e6497bf2110bdd20b8b8db75d 5953392 asterisk_16.16.1~dfsg-2.debian.tar.xz
21b31488ea06d219818303f3c9e8829b0a0d1c551c9276e00a24758548cfa89e 27220 asterisk_16.16.1~dfsg-2_amd64.buildinfo
Files:
64f9639acc462fe9f4317ecd1fff4064 4201 comm optional asterisk_16.16.1~dfsg-2.dsc
c9f8767a901f071ccc9cb1601b0d0716 5953392 comm optional asterisk_16.16.1~dfsg-2.debian.tar.xz
4f3170154c94066df1d4dea5f5ebb5a2 27220 comm optional asterisk_16.16.1~dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmENQboRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJO/vBAAlv3WzhViB/D4PT4kFgBe8bJRlqlQLj4A
4up4A5X03OBDipEe3XMK4U/h6zpVaJXxIjOQ5u8o8Y53GJhLwzp350AUKzruSH2w
EThD+xdyUTJVmwxTr3mhUbtEW+yBkKB+zZitCWJFYQxzSrqfacISzszentOaba33
bjLtMrzb3HX9qn0BqGALm6o05Hc2AiU+zz3cwLr9dRo6njnxrGYgTAN0HT4erl9A
n1hi7NctJ8qT0Ws093A0PvHmoCAFr51ap6vwfbAFbMXy8Ef/q9vCWqJRwkwWpBVc
nOCNvwqAYKlduVeA+q06wLpwUNDWIpLo+irXfVsHubYXYpvnHFPfqrrhtxsI4+Z/
fPPCIu0sPZNx9/i6rQC4TQb3IgL4CjeOtv2YNwSbNCSsHvjyDYslL2jJphi18uai
c7rwoL+MeF/5+XvgUSa3Vjc26kZSNBybxTHhyJn+fcFEOcgZUsK3IcL/dw8oPReZ
giMguyPERAmlheeao2nl/vYeH29yu38ghlOFY6KUFHzwvGd8Su4vowDviCUO8Axm
W6iAOxQtDKb87VW0uTLCSufwkQF1DLNkr2WsTrVQiKJ88Ugby2lW6hb8HGfxR9SZ
gEUO150r5sfzqUFaz0Gj5l+dVfR/FmNRijZX5wx2BlQTBajTO38DiJ7pHIeAFSBE
3tluT8yVNG0=
=jBZ0
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 991931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 09 Aug 2021 08:48:31 +0200
Source: asterisk
Architecture: source
Version: 1:16.16.1~dfsg-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Closes: 991710 991931
Changes:
asterisk (1:16.16.1~dfsg-1+deb11u1) bullseye-security; urgency=medium
.
* CVE-2021-32558 / AST-2021-008 (Closes: #991710)
If the IAX2 channel driver receives a packet that contains an unsupported
media format it can cause a crash to occur in Asterisk
* CVE-2021-32686 / AST-2021-009 (Closes: #991931)
pjproject/pjsip: crash when SSL socket destroyed during handshake
* d/gbp.conf for Bullseye branch
Checksums-Sha1:
084c8ebf5f267ac172504bebbd7648f4cfecc1d3 4233 asterisk_16.16.1~dfsg-1+deb11u1.dsc
f0b46a4eabe561df5c690f73862746fa01d67739 7055724 asterisk_16.16.1~dfsg.orig.tar.xz
5ac73590577b4821d18dd3515e7522f09199d316 5953420 asterisk_16.16.1~dfsg-1+deb11u1.debian.tar.xz
19ba4db88523dbc91f4b20d23f50e056ec6a0d95 27939 asterisk_16.16.1~dfsg-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
ad664a54385066c5032e2fe29e7113922d0c8b68a9251169f1703edea90eb09e 4233 asterisk_16.16.1~dfsg-1+deb11u1.dsc
42268f21025a0fab9288f616951609f8b10118fb63e35fae80e7d110eb5dda6e 7055724 asterisk_16.16.1~dfsg.orig.tar.xz
25eac97078e99ce9dc345da75639d5e9bb5cc0b9c9a50dd447e45c246491a70a 5953420 asterisk_16.16.1~dfsg-1+deb11u1.debian.tar.xz
071bb9c82ca6552570066d273e028738ea4ee73d4b26805e782da42326a4aca5 27939 asterisk_16.16.1~dfsg-1+deb11u1_amd64.buildinfo
Files:
37c0ba19cc3012535930dc4d4e52014d 4233 comm optional asterisk_16.16.1~dfsg-1+deb11u1.dsc
ad421903a111f0a43e25d64b7aadc2e9 7055724 comm optional asterisk_16.16.1~dfsg.orig.tar.xz
4647ac3e939cfed2fea75b27139d9467 5953420 comm optional asterisk_16.16.1~dfsg-1+deb11u1.debian.tar.xz
db5b862051a9cfecfc678a47857905d4 27939 comm optional asterisk_16.16.1~dfsg-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmEj9QIRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJNMYA/7BHIp5g+qySH2kMQlHf91aowKnwXN7oq1
Wh/+5eOMe0Y5t/gqeFY/PvcyXzquTNMdStW5OkDyfVqp4ddXZZJqUnc+dKwvez8F
t/3twBYH/grscLhHQlPWs9LvzfgIPZJJmP7rYKVjJxRxkWeKNpwoNhbohYMITjpJ
bhpnb+KwjurCUUwNberFc9epKxClXaav+1ZqK+GEFwMsgG88REdOtaPzIUB/WoF7
CpQMTuUtJgtYO0Up4x7W1g+ebUF6dAkBr4N+CvctF8Tktbfv1z9inYQvfzGfw6P1
Dtj3qlvtT6kuZqYtwjMZGdoRF8ISm4ZY+sEQ1EqLI2s59FoIqmG35V93cohh0bkx
AW9enPTwJr4Hvk6His0ca3eJScf1j7nmS5c3K2fCcCwZawABxmRjD77dNQYuqHm+
PnGuxRq9d32eUsCXo7dqYbJIHIhsME2PCByTfhKy0hDTkPevhctPNwm31MVRUi95
dMUAN68cAZSPKSjYITwfIl8fXLPjRWaWy8s7nF4rT6YrZH2Sqh8DwnuBAVXxF4al
BlICuiZElqjJCJh4AJCtkzY/eZXVk42GeB0uzdAnI/sEmMQSSYdPQSXmiLOX6ma6
XG167nXt8ur0QydAOwnctrJNqOK8iRnjtRuJ3pp3cH/DNEprbsmAqdNFuBJsvXKP
XY8PySJhArk=
=KE0K
-----END PGP SIGNATURE-----