-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 04 Jan 2024 18:58:50 +0100
Source: asterisk
Binary: asterisk-config asterisk-dev asterisk-doc
Architecture: all
Version: 1:16.28.0~dfsg-0+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: all Build Daemon (x86-grnet-02) <buildd_all-x86-grnet-02@buildd.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 asterisk-config - Configuration files for Asterisk
 asterisk-dev - Development files for Asterisk
 asterisk-doc - Source code documentation for Asterisk
Changes:
 asterisk (1:16.28.0~dfsg-0+deb11u4) bullseye-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2023-37457:
     The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
     the available buffer space for storing the new value of a header. By doing
     so this can overwrite memory or cause a crash. This is not externally
     exploitable, unless dialplan is explicitly written to update a header based
     on data from an outside source. If the 'update' functionality is not used
     the vulnerability does not occur.
   * Fix CVE-2023-38703:
     PJSIP is a free and open source multimedia communication library written in
     C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
     higher level media transport which is stacked upon a lower level media
     transport such as UDP and ICE. Currently a higher level transport is not
     synchronized with its lower level transport that may introduce a
     use-after-free issue. This vulnerability affects applications that have
     SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
     transport other than UDP. This vulnerability’s impact may range from
     unexpected application termination to control flow hijack/memory
     corruption.
   * Fix CVE-2023-49294:
     It is possible to read any arbitrary file even when the `live_dangerously`
     option is not enabled.
   * Fix CVE-2023-49786:
     Asterisk is susceptible to a DoS due to a race condition in the hello
     handshake phase of the DTLS protocol when handling DTLS-SRTP for media
     setup. This attack can be done continuously, thus denying new DTLS-SRTP
     encrypted calls during the attack. Abuse of this vulnerability may lead to
     a massive Denial of Service on vulnerable Asterisk servers for calls that
     rely on DTLS-SRTP.
Checksums-Sha1:
 2a00df46db0faf6e900b64d8c4b0500f781ecb61 1771736 asterisk-config_16.28.0~dfsg-0+deb11u4_all.deb
 3916586dbc9ada5631173727218cc27901d5f620 1805868 asterisk-dev_16.28.0~dfsg-0+deb11u4_all.deb
 0a7500f2957533464951430cfc858a004b461c18 910180 asterisk-doc_16.28.0~dfsg-0+deb11u4_all.deb
 0045b50159280126cf5eceb952f47530f562977f 20489 asterisk_16.28.0~dfsg-0+deb11u4_all-buildd.buildinfo
Checksums-Sha256:
 e219eab658552270136c6a07f7a9f3ffbe5a76dff544ab0ab579980ecc987cff 1771736 asterisk-config_16.28.0~dfsg-0+deb11u4_all.deb
 6236d765033d389e40862739043f8ac271f37456c0a2264e32ddc1f43f62a3c1 1805868 asterisk-dev_16.28.0~dfsg-0+deb11u4_all.deb
 efabdd4528beb9da07fb6abd64367c6f3bdb2046e9e9a040c1cf8d70f62e3525 910180 asterisk-doc_16.28.0~dfsg-0+deb11u4_all.deb
 36894f35b9c3bbe88dd49d4cf9a16f06e8026de8497fe27ace1760daef57221e 20489 asterisk_16.28.0~dfsg-0+deb11u4_all-buildd.buildinfo
Files:
 e0a34813f3c561a6507142b75c6e414e 1771736 comm optional asterisk-config_16.28.0~dfsg-0+deb11u4_all.deb
 07d5b4e80a2c563071b9bc661a9a7794 1805868 devel optional asterisk-dev_16.28.0~dfsg-0+deb11u4_all.deb
 d1ede48e0e64c0f6f7f2bd0f3bd90b2d 910180 doc optional asterisk-doc_16.28.0~dfsg-0+deb11u4_all.deb
 4b72a0056103cf5b5203f6e71925e805 20489 comm optional asterisk_16.28.0~dfsg-0+deb11u4_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEzW1K1578DQd6MDTQEbLkkg2OS0oFAmWW++EACgkQEbLkkg2O
S0r3kw/+LiATK6JOBoKEC1aKluwglaAz7NjVyBAzlfdFU2Cxhc7kbg6ktE0ke6BW
NSpTfyg6nqekxQEscGzdwxL8AHnwpDC1lNGJ7zvRJF+C+5vaNyJ45Yne7JTsKKQV
NOp9hK2Q918w9YnhtZMo13Zs7++ZthGNJqtPndXlDeRsbbXUc25EHDSSRMMl6S7w
J4EM2uTlcNUeDnRJMQwXpoiQCn+/MxK+ggT5VhyJP+X4ywWOnfwJIAlT4J7JroMp
nXmFOzxyxYI8t5UY37uoe9qI9IfWv2RJEgzEywjBP4CZ5zd2oQi/1PNw71BQJG/w
cZDplSjcuUEK8f0jzJ8D8N+sZ7vMNMmWkRssTBgKhS5D34PW4CQ3Mj5Rf7dhbH9b
1thz+vwfKlfQo+wmJNe2PjW4Wc6EXGgZdMphiJ47xm6kScyXWpMRwZbVjRNUb+hc
ZY+h5JNGu/VV0rsEMWrTUSBep3B+CjWn01IUBMlEC23s7xnCvXESfBgwiyPUDBfS
zTshlzfP4V2TeAC9fbfdvIPJaA0IaU80a+7zB59JJlnYyVMlJL1n56DZX1zq8rTH
VJ5GHYc0YoD3CXlYCK4aNkTMHMKcqiosK7EGKABXorW+SoAVMapR6kmA6zxgvJuU
IJURyc0MQZvd66ov/rguLCV+AhXOEUwb8WlXQo1nOueSQ6zO9WU=
=l1Ns
-----END PGP SIGNATURE-----