Asterisk
Project Security Advisory -
|
Product |
Asterisk |
|
Summary |
Crash when negotiating for T.38 with a declined stream |
|
Nature of Advisory |
Remote Crash |
|
Susceptibility |
Remote Authenticated Sessions |
|
Severity |
Minor |
|
Exploits Known |
No |
|
Reported On |
August 05, 2019 |
|
Reported By |
Alexei Gradinari |
|
Posted On |
September 05, 2019 |
|
Last Updated On |
|
|
Advisory Contact |
kharwell AT sangoma DOT com |
|
CVE Name |
CVE-2019-15297 |
|
Description |
When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint responds with a declined media stream a crash will then occur in Asterisk. |
|
Modules Affected |
res_pjsip_t38.c |
|
Resolution |
If T.38 faxing is not required then setting the “t38_udptl” configuration option on the endpoint to “no” disables this functionality. This option defaults to “no” so you have to have explicitly set it “yes” to potentially be affected by this issue.
Otherwise, if T.38 faxing is required then Asterisk should be upgraded to a fixed version. |
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Asterisk Open Source |
15.x |
All releases |
|
Asterisk Open Source |
16.x |
All releases |
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source |
15.7.4,16.5.1 |
|
Patches |
|
|
SVN URL |
Revision |
|
http://downloads.asterisk.org/pub/security/AST-2019-004-15.diff |
Asterisk 15 |
|
http://downloads.asterisk.org/pub/security/AST-2019-004-16.diff |
Asterisk 16 |
|
Links |
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
August 28, 2019 |
Kevin Harwell |
Initial revision |
Asterisk
Project Security Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.