On Sat, Nov 03, 2018 at 03:54:23PM +0100, Hiltjo Posthuma wrote:
> On Sat, Nov 03, 2018 at 03:13:05PM +0100, Sebastien Marie wrote:
> Hi,
>
> I don't use this particular software,
it is a bit a thread hijack...
> but I am working on a automated CVE
> checker similar to pkg audit on NetBSD, FreeBSD. It parses the FreeBSD VuXML
> and compares the version ranges against a package list like /usr/ports/INDEX or
> pkg_info.
the package is about pjsua/pjsip/pjproject. It would help if your
references are linked to pjproject instead of Asterisk.
> I think this package was affected by the following issues:
>
> https://downloads.asterisk.org/pub/security/AST-2018-002.html
I only looked at the first issue your mentioned.
CVE-2018-1000098
By crafting an SDP message with an invalid media format
description Asterisk crashes when using the pjsip channel driver
because pjproject's sdp parsing algorithm fails to catch the
invalid media format description.
For that, looking at pjproject, I found it:
issue: https://trac.pjsip.org/repos/ticket/2093
fix: https://trac.pjsip.org/repos/changeset/5741
As I am not really familiar with svn and/or track, I manually check if
pjproject-2.8 has the fix applied.
And it is. so the update to 2.8 don't have the issue. the package isn't
affected by the issue.
> https://downloads.asterisk.org/pub/security/AST-2017-009.html
> https://downloads.asterisk.org/pub/security/AST-2017-002.html
> https://downloads.asterisk.org/pub/security/AST-2016-005.html
thanks.
--
Sebastien Marie
No comments:
Post a Comment