svn commit: r472214 - head/security/vuxml
Guido Falsi
madpilot at FreeBSD.org
Mon Jun 11 22:57:12 UTC 2018
Author: madpilot
Date: Mon Jun 11 22:57:11 2018
New Revision: 472214
URL: https://svnweb.freebsd.org/changeset/ports/472214
Log:
Document new asterisk vulnerabilities.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Mon Jun 11 22:50:00 2018 (r472213)
+++ head/security/vuxml/vuln.xml Mon Jun 11 22:57:11 2018 (r472214)
@@ -58,6 +58,69 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="0137167b-6dca-11e8-a671-001999f8d30b">
+ <topic>asterisk -- PJSIP endpoint presence disclosure when using ACL</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.21.1</lt></range>
+ </package>
+ <package>
+ <name>asterisk15</name>
+ <range><lt>15.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p> When endpoint specific ACL rules block a SIP request
+ they respond with a 403 forbidden. However, if an endpoint
+ is not identified then a 401 unauthorized response is
+ sent. This vulnerability just discloses which requests
+ hit a defined endpoint. The ACL rules cannot be bypassed
+ to gain access to the disclosed endpoints.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-008.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-11</discovery>
+ <entry>2018-06-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f14ce57f-6dc8-11e8-a671-001999f8d30b">
+ <topic>asterisk -- Infinite loop when reading iostreams</topic>
+ <affects>
+ <package>
+ <name>asterisk15</name>
+ <range><lt>15.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>When connected to Asterisk via TCP/TLS if the client
+ abruptly disconnects, or sends a specially crafted message
+ then Asterisk gets caught in an infinite loop while trying
+ to read the data stream. Thus rendering the system as
+ unusable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-007.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-11</discovery>
+ <entry>2018-06-11</entry>
+ </dates>
+ </vuln>
+
<vuln vid="4cb49a23-6c89-11e8-8b33-e8e0b747a45a">
<topic>chromium -- Incorrect handling of CSP header</topic>
<affects>
More information about the svn-ports-all
mailing list