VoIP Mailing List Archives :: View topic - [asterisk-users] AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] AST-2014-005: Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

security at asterisk.org
Guest

Posted: Thu Jun 12, 2014 3:44 pm Post subject: [asterisk-users] AST-2014-005: Remote Crash in PJSIP Channel

Asterisk Project Security Advisory - AST-2014-005 Product Asterisk Summary Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate Exploits Known No Reported On March 17, 2014 Reported By John Bigelow <jbigelow AT digium DOT com> Posted On June 12, 2014 Last Updated On June 12, 2014 Advisory Contact Kevin Harwell <kharwell AT digium DOT com> CVE Name CVE-2014-4045 Description A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised. Resolution Upgrade to a version with the patch integrated, apply the patch, or make sure the "sub_min_expiry" endpoint configuration option is greater than zero. Affected Versions Product Release Series Asterisk Open Source 12.x All Corrected In Product Release Asterisk Open Source 12.x 12.3.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff Asterisk 12 Links https://issues.asterisk.org/jira/browse/ASTERISK-23489 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-005.pdf and http://downloads.digium.com/pub/security/AST-2014-005.html Revision History Date Editor Revisions Made April 14, 2014 Kevin Harwell Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-005 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum