Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-1122-1 asterisk

Debian Security Advisory

DLA-1122-1 asterisk -- LTS security update

Date Reported:

05 Oct 2017

Affected Packages:

asterisk

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 873908.
In Mitre's CVE dictionary: CVE-2017-14100.

More information:

A security vulnerability was discovered in Asterisk, an Open Source PBX and telephony toolkit, that may lead to unauthorized command execution.

The app_minivm module has an externnotify program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

For Debian 7 Wheezy, these problems have been fixed in version 1:1.8.13.1~dfsg1-3+deb7u7.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS