aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authormadpilot <madpilot@FreeBSD.org>2018-06-12 06:57:11 +0800
committermadpilot <madpilot@FreeBSD.org>2018-06-12 06:57:11 +0800
commit735a324826342658442635ff96c2b94464efebe0 (patch)
tree2f34a72c82b95e71dd97306887ede7f64ed7cbd2 /security
parent2ceadbf38d854a336012289aed500663eb370d89 (diff)
downloadfreebsd-ports-gnome-735a324826342658442635ff96c2b94464efebe0.tar.gz
freebsd-ports-gnome-735a324826342658442635ff96c2b94464efebe0.tar.zst
freebsd-ports-gnome-735a324826342658442635ff96c2b94464efebe0.zip
Document new asterisk vulnerabilities.
Diffstat (limited to 'security')
-rw-r--r--security/vuxml/vuln.xml63
1 files changed, 63 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 9dd53dbd70c8..76d1128d014b 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,69 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="0137167b-6dca-11e8-a671-001999f8d30b">
+ <topic>asterisk -- PJSIP endpoint presence disclosure when using ACL</topic>
+ <affects>
+ <package>
+ <name>asterisk13</name>
+ <range><lt>13.21.1</lt></range>
+ </package>
+ <package>
+ <name>asterisk15</name>
+ <range><lt>15.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p> When endpoint specific ACL rules block a SIP request
+ they respond with a 403 forbidden. However, if an endpoint
+ is not identified then a 401 unauthorized response is
+ sent. This vulnerability just discloses which requests
+ hit a defined endpoint. The ACL rules cannot be bypassed
+ to gain access to the disclosed endpoints.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-008.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-11</discovery>
+ <entry>2018-06-11</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="f14ce57f-6dc8-11e8-a671-001999f8d30b">
+ <topic>asterisk -- Infinite loop when reading iostreams</topic>
+ <affects>
+ <package>
+ <name>asterisk15</name>
+ <range><lt>15.4.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Asterisk project reports:</p>
+ <blockquote cite="http://www.asterisk.org/downloads/security-advisories">
+ <p>When connected to Asterisk via TCP/TLS if the client
+ abruptly disconnects, or sends a specially crafted message
+ then Asterisk gets caught in an infinite loop while trying
+ to read the data stream. Thus rendering the system as
+ unusable.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://downloads.asterisk.org/pub/security/AST-2018-007.html</url>
+ </references>
+ <dates>
+ <discovery>2018-06-11</discovery>
+ <entry>2018-06-11</entry>
+ </dates>
+ </vuln>
+
<vuln vid="4cb49a23-6c89-11e8-8b33-e8e0b747a45a">
<topic>chromium -- Incorrect handling of CSP header</topic>
<affects>