Source: asterisk X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for asterisk. CVE-2022-24764[0]: | PJSIP is a free and open source multimedia communication library | written in C. Versions 2.12 and prior contain a stack buffer overflow | vulnerability that affects PJSUA2 users or users that call the API | `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do | not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or | `pjmedia_sdp_media_print()` should not be affected. A patch is | available on the `master` branch of the `pjsip/pjproject` GitHub | repository. There are currently no known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 CVE-2022-24763[1]: | PJSIP is a free and open source multimedia communication library | written in the C language. Versions 2.12 and prior contain a denial- | of-service vulnerability that affects PJSIP users that consume PJSIP's | XML parsing in their apps. Users are advised to update. There are no | known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4 https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21 CVE-2022-24786[2]: | PJSIP is a free and open source multimedia communication library | written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP | feedback RPSI (Reference Picture Selection Indication) packet, but any | app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. | A patch is available in the `master` branch of the `pjsip/pjproject` | GitHub repository. There are currently no known workarounds. https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508 CVE-2022-24792[3]: | PJSIP is a free and open source multimedia communication library | written in C. A denial-of-service vulnerability affects applications | on a 32-bit systems that use PJSIP versions 2.12 and prior to | play/read invalid WAV files. The vulnerability occurs when reading WAV | file data chunks with length greater than 31-bit integers. The | vulnerability does not affect 64-bit apps and should not affect apps | that only plays trusted WAV files. A patch is available on the | `master` branch of the `pjsip/project` GitHub repository. As a | workaround, apps can reject a WAV file received from an unknown source | or validate the file first. https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799 https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213 CVE-2022-24793[4]: | PJSIP is a free and open source multimedia communication library | written in C. A buffer overflow vulnerability in versions 2.12 and | prior affects applications that uses PJSIP DNS resolution. It doesn't | affect PJSIP users who utilize an external resolver. A patch is | available in the `master` branch of the `pjsip/pjproject` GitHub | repository. A workaround is to disable DNS resolution in PJSIP config | (by setting `nameserver_count` to zero) or use an external resolver | instead. https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24764 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24764 [1] https://security-tracker.debian.org/tracker/CVE-2022-24763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24763 [2] https://security-tracker.debian.org/tracker/CVE-2022-24786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24786 [3] https://security-tracker.debian.org/tracker/CVE-2022-24792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24792 [4] https://security-tracker.debian.org/tracker/CVE-2022-24793 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24793 Please adjust the affected versions in the BTS as needed.
