Asterisk Security Team
2019-Jul-11 21:45 UTC
[asterisk-announce] AST-2019-002: Remote crash vulnerability with MESSAGE messages
Asterisk Project Security Advisory - AST-2019-002 Product Asterisk Summary Remote crash vulnerability with MESSAGE messages Nature of Advisory Denial Of Service Susceptibility Remote Authenticated Sessions Severity Low Exploits Known No Reported On June 13, 2019 Reported By Gil Richard Posted On June 14,2019 Last Updated On George Joseph Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2019-12827 Description A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash. Resolution Upgrade Asterisk to a fixed version. Affected Versions Product Release Series Certified Asterisk 13.21-cert All releases Asterisk Open Source 13.x All releases Asterisk Open Source 15.x All releases Asterisk Open Source 16.x All releases Corrected In Product Release Certified Asterisk 13.21-cert4 Asterisk Open Source 13.27.1 Asterisk Open Source 15.7.3 Asterisk Open Source 16.4.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-002-13.21.diff Certified Asterisk 13.21-cert4 http://downloads.asterisk.org/pub/security/AST-2019-002-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2019-002-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2019-002-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28447 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-002.pdf and http://downloads.digium.com/pub/security/AST-2019-002.html Revision History Date Editor Revisions Made June 14, 2019 George Joseph Initial revision Asterisk Project Security Advisory - AST-2019-002 Copyright © 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
Apparently Analagous Threads
- AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver
- Asterisk 13.27.1, 15.7.3, 16.4.1 and 13.21-cert4 Now Available (Security)
- AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
- AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
- AST-2019-001: Remote crash vulnerability with SDP protocol violation