USN-4814-1: Asterisk vulnerabilities
15 March 2021
Asterisk could be made to crash or run programs if it received specially crafted input.
Releases
Packages
- asterisk - Open Source Private Branch Exchange (PBX)
Details
Richard Mudgett discovered that Asterisk did not properly check the length
of input string when setting the user field for PartyB on a CDR. A remote
attacker could use this vulnerability to cause a denial of service (crash)
or potentially execute arbitrary code. (CVE-2017-16671)
Alex Villacis Lasso discovered that Asterisk did not properly check the
length of input string when setting the user field for PartyA on a CDR. A
remote attacker could use this vulnerability to cause a denial of service
(crash) or potentially execute arbitrary code. (CVE-2017-7617)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
asterisk-ooh323
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-vpb
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-config
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-voicemail-imapstorage
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-dahdi
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-mp3
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-voicemail
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-mobile
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-mysql
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-modules
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
-
asterisk-voicemail-odbcstorage
-
1:13.1.0~dfsg-1.1ubuntu4.1+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.