[Buildroot] [PATCH] package/asterisk: security bump to version 16.6.2

Peter Korsgaard peter at korsgaard.com
Tue Dec 3 09:49:54 UTC 2019

>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security vulnerabilities:
 > AST-2019-006: SIP request can change address of a SIP peer.
 > A SIP request can be sent to Asterisk that can change a SIP peer’s IP
 > address.  A REGISTER does not need to occur, and calls can be hijacked as a
 > result.  The only thing that needs to be known is the peer’s name;
 > authentication details such as passwords do not need to be known.  This
 > vulnerability is only exploitable when the “nat” option is set to the
 > default, or “auto_force_rport”.

 > https://downloads.asterisk.org/pub/security/AST-2019-006.pdf

 > AST-2019-007: AMI user could execute system commands.
 > A remote authenticated Asterisk Manager Interface (AMI) user without
 > “system” authorization could use a specially crafted “Originate” AMI request
 > to execute arbitrary system commands.

 > https://downloads.asterisk.org/pub/security/AST-2019-007.pdf

 > AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
 > If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0
 > and no c line in the SDP, a crash will occur.

 > https://downloads.asterisk.org/pub/security/AST-2019-008.pdf

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2019.02.x and 2019.08.x, thanks.

Bye, Peter Korsgaard

More information about the buildroot mailing list