Asterisk Security Team
2017-Nov-08 19:16 UTC
[asterisk-announce] AST-2017-011: Memory leak in pjsip session resource
Asterisk Project Security Advisory - AST-2017-011 Product Asterisk Summary Memory leak in pjsip session resource Nature of Advisory Memory leak Susceptibility Remote Sessions Severity Minor Exploits Known No Reported On October 15, 2017 Reported By Correy Farrell Posted On Last Updated On October 19, 2017 Advisory Contact kharwell AT digium DOT com CVE Name Description A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Resolution Asterisk now releases the session object and all associated memory when a call gets rejected. Affected Versions Product Release Series Asterisk Open Source 13.x 13.5.0+ Asterisk Open Source 14.x All Releases Asterisk Open Source 15.x All Releases Certified Asterisk 13.13 All Releases Corrected In Product Release Asterisk Open Source 13.18.1, 14.7.1, 15.1.1 Certified Asterisk 13.13-cert7 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2017-011-14.diff Asterisk 14 http://downloads.asterisk.org/pub/security/AST-2017-011-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2017-011-13.13.diff Certified Asterisk 13.13 Links https://issues.asterisk.org/jira/browse/ASTERISK-27345 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2017-011.pdf and http://downloads.digium.com/pub/security/AST-2017-011.html Revision History Date Editor Revisions Made October 19, 2017 Kevin Harwell Initial Revision Asterisk Project Security Advisory - AST-2017-011 Copyright (c) 2017 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Maybe Matching Threads
- AST-2017-009: Buffer overflow in pjproject header parsing can cause crash in Asterisk
- AST-2017-010: Buffer overflow in CDR's set user
- AST-2017-014: Crash in PJSIP resource when missing a contact header
- AST-2017-001: Buffer overflow in CDR's set user
- AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability