[Buildroot] [PATCH] package/asterisk: security bump to version 16.6.2
peter at korsgaard.com
Tue Dec 3 09:49:54 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security vulnerabilities:
> AST-2019-006: SIP request can change address of a SIP peer.
> A SIP request can be sent to Asterisk that can change a SIP peer’s IP
> address. A REGISTER does not need to occur, and calls can be hijacked as a
> result. The only thing that needs to be known is the peer’s name;
> authentication details such as passwords do not need to be known. This
> vulnerability is only exploitable when the “nat” option is set to the
> default, or “auto_force_rport”.
> AST-2019-007: AMI user could execute system commands.
> A remote authenticated Asterisk Manager Interface (AMI) user without
> “system” authorization could use a specially crafted “Originate” AMI request
> to execute arbitrary system commands.
> AST-2019-008: Re-invite with T.38 and malformed SDP causes crash.
> If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0
> and no c line in the SDP, a crash will occur.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2019.02.x and 2019.08.x, thanks.
Bye, Peter Korsgaard
More information about the buildroot