FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  456560
Date:      2017-12-17
Time:      18:50:00Z
Committer: zeising

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
0537afa3-3ce0-11e7-bf9d-001999f8d30basterisk -- Buffer Overrun in PJSIP transaction layer

The Asterisk project reports:

A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash.

This issues is in PJSIP, and so the issue can be fixed without performing an upgrade of Asterisk at all. However, we are releasing a new version of Asterisk with the bundled PJProject updated to include the fix.

If you are running Asterisk with chan_sip, this issue does not affect you.


Discovery 2017-04-12
Entry 2017-05-19
asterisk13
lt 13.15.1

pjsip
lt 2.6_1

pjsip-extsrtp
lt 2.6_1

http://downloads.asterisk.org/pub/security/AST-2017-002.html
http://downloads.asterisk.org/pub/security/AST-2017-003.html