Все бюллетени/sisyphus/ALT-PU-2023-8733-1
ALT-PU-2023-8733-1

Обновление пакета asterisk в ветке sisyphus

Версия20.5.1-alt1
Задание#336503
Опубликовано2023-12-15
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (6)

BDU:2023-08816
HIGH7.5

Уязвимость реализации протоколов DTLS (Datagram Transport Layer Security) и SRTP (Secure Real-time Transport Protocol) систем управления IP-телефонией Asterisk и Certified Asterisk, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2023-12-19Изменено: 2024-08-12
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
BDU:2023-08817
HIGH7.5

Уязвимость функции PJSIP_HEADER() систем управления IP-телефонией Asterisk и Certified Asterisk, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2023-12-19Изменено: 2024-08-12
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
BDU:2023-08871
MEDIUM4.9

Уязвимость интерфейса AMI (Asterisk Managment Interface) систем управления IP-телефонией Asterisk и Certified Asterisk, позволяющая нарушителю получить доступ на чтение произвольных файлов

Опубликовано: 2023-12-19Изменено: 2024-08-12
CVSS 3.xСРЕДНЯЯ 4.9
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0СРЕДНЯЯ 6.1
CVSS:2.0/AV:N/AC:L/Au:M/C:C/I:N/A:N
Ссылки
CVE-2023-37457
HIGH8.2

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

Опубликовано: 2023-12-14Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Ссылки
CVE-2023-49294
HIGH7.5

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.

Опубликовано: 2023-12-14Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2023-49786
MEDIUM5.9

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.

Опубликовано: 2023-12-14Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки