Security Information / 2017 / Security Information -- DSA-3990-1 asterisk

Debian Security Advisory

DSA-3990-1 asterisk -- security update

Date Reported:

03 Oct 2017

Affected Packages:

asterisk

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-14603.

More information:

Klaus-Peter Junghann discovered that insufficient validation of RTCP packets in Asterisk may result in an information leak. Please see the upstream advisory at http://downloads.asterisk.org/pub/security/AST-2017-008.html for additional details.

For the oldstable distribution (jessie), this problem has been fixed in version 1:11.13.1~dfsg-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in version 1:13.14.1~dfsg-2+deb9u2.

We recommend that you upgrade your asterisk packages.