FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  454765
Date:      2017-11-23
Time:      15:06:25Z
Committer: woodsb02

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
0537afa3-3ce0-11e7-bf9d-001999f8d30basterisk -- Buffer Overrun in PJSIP transaction layer

The Asterisk project reports:

A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash.

The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash.

This issues is in PJSIP, and so the issue can be fixed without performing an upgrade of Asterisk at all. However, we are releasing a new version of Asterisk with the bundled PJProject updated to include the fix.

If you are running Asterisk with chan_sip, this issue does not affect you.


Discovery 2017-04-12
Entry 2017-05-19
asterisk13
lt 13.15.1

pjsip
lt 2.6_1

pjsip-extsrtp
lt 2.6_1

http://downloads.asterisk.org/pub/security/AST-2017-002.html
http://downloads.asterisk.org/pub/security/AST-2017-003.html
e21474c6-031a-11e6-aa86-001999f8d30bPJSIP -- TCP denial of service in PJProject

The Asterisk project reports:

PJProject has a limit on the number of TCP connections that it can accept. Furthermore, PJProject does not close TCP connections it accepts. By default, this value is approximately 60.

An attacker can deplete the number of allowed TCP connections by opening TCP connections and sending no data to Asterisk.

If PJProject has been compiled in debug mode, then once the number of allowed TCP connections has been depleted, the next attempted TCP connection to Asterisk will crash due to an assertion in PJProject.

If PJProject has not been compiled in debug mode, then any further TCP connection attempts will be rejected. This makes Asterisk unable to process TCP SIP traffic.

Note that this only affects TCP/TLS, since UDP is connectionless.


Discovery 2016-02-15
Entry 2016-04-15
pjsip
le 2.4.5

pjsip-extsrtp
le 2.4.5

http://downloads.asterisk.org/pub/security/AST-2016-005.html