Asterisk
Project Security Advisory -
Product |
Asterisk |
Summary |
Remote crash in res_pjsip_diversion |
Nature of Advisory |
Denial of service |
Susceptibility |
Remote authenticated sessions |
Severity |
Moderate |
Exploits Known |
No |
Reported On |
December 02, 2020 |
Reported By |
Mikhail Ivanov |
Posted On |
December 22, 2020 |
Last Updated On |
December 23, 2020 |
Advisory Contact |
kharwell AT sangoma DOT com |
CVE Name |
CVE-2020-35652 |
Description |
A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri. |
Modules Affected |
res_pjsip_diversion.c |
Resolution |
Asterisk now ensures that if it receives a SIP 181 response with a Diversion header that contains a tel-uri a crash does not occur. |
Affected Versions |
||
Product |
Release Series |
|
Asterisk Open Source |
13.X |
13.38.0 |
Asterisk Open Source |
16.X |
16.15.0 |
Asterisk Open Source |
17.X |
17.9.0 |
Asterisk Open Source |
18.X |
18.1.0 |
Corrected In |
|
Product |
Release |
Asterisk Open Source |
13.38.1, 16.15.1, 17.9.1, 18.1.1 |
|
|
Patches |
|
SVN URL |
Revision |
The associated patches for AST-2020-003 also fix this issue. |
Asterisk 13, 16, 17, 18 |
Links |
https://issues.asterisk.org/jira/browse/ASTERISK-29191 |
|
https://downloads.asterisk.org/pub/security/AST-2020-003.html |
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
Revision History |
||
Date |
Editor |
Revisions Made |
December 22, 2020 |
Kevin Harwell |
Initial revision |
December 23, 2020 |
Kevin Harwell |
Added CVE |
Asterisk Project Security
Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.