asterisk: Multiple vulnerabilities (CVE-2018-19278, CVE-2019-7251, CVE-2019-12827, CVE-2019-13161, CVE-2019-15297, CVE-2019-15639)ID: oval:org.secpod.oval:def:59760 | Date: (C)2019-12-03 (M)2022-06-01 |
Class: PATCH | Family: unix |
There is a buffer overflow vulnerability in dns_srv and dns_naptr functions of Asterisk that allows an attacker to crash Asterisk via a specially crafted DNS SRV or NAPTR response. The attackers request causes Asterisk to segfault and crash.When Asterisk makes an outgoing call, a very specific SDP protocol violation by the remote party can cause Asterisk to crash.A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash. This requires Asterisk to initiate a T.38 reinvite which is only done when executing the ReceiveFax dialplan application or performing T.38 passthrough where a remote endpoint has requested T.38.When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk.
Platform: |
Alpine Linux 3.10 |
Alpine Linux 3.8 |
Alpine Linux 3.9 |
Alpine Linux 3.7 |