FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
359f615d-a9e1-11e1-8a66-14dae9ebcf89asterisk -- multiple vulnerabilities

Asterisk project reports:

Remote crash vulnerability in IAX2 channel driver.

Skinny Channel Driver Remote Crash Vulnerability


Discovery 2012-05-29
Entry 2012-05-29
Modified 2012-05-29
asterisk16
gt 1.6.* le 1.6.2.24

asterisk18
gt 1.8.* lt 1.8.12.1

asterisk10
gt 10.* lt 10.4.1

CVE-2012-2947
http://downloads.digium.com/pub/security/AST-2012-007.html
CVE-2012-2948
http://downloads.digium.com/pub/security/AST-2012-008.html
https://www.asterisk.org/security
964c5460-9c66-11ec-ad3a-001999f8d30basterisk -- multiple vulnerabilities

The Asterisk project reports:

AST-2022-004 - The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.

AST-2022-005 - When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc) after a dialog set is prematurely freed.

AST-2022-006 - If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, its currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.


Discovery 2022-03-03
Entry 2022-03-05
asterisk16
< 16.24.1

asterisk18
< 18.10.1

CVE-2021-37706
CVE-2022-23608
CVE-2022-21723
https://downloads.asterisk.org/pub/security/AST-2022-004.html
https://downloads.asterisk.org/pub/security/AST-2022-005.html
https://downloads.asterisk.org/pub/security/AST-2022-006.html
f7c87a8a-55d5-11e2-a255-c8600054b392asterisk -- multiple vulnerabilities

Asterisk project reports:

Crashes due to large stack allocations when using TCP

Denial of Service Through Exploitation of Device State Caching


Discovery 2013-01-02
Entry 2013-01-03
asterisk11
gt 11.* lt 11.1.2

asterisk10
gt 10.* lt 10.11.1

asterisk18
gt 1.8.* lt 1.8.19.1

CVE-2012-5976
CVE-2012-5977
http://downloads.digium.com/pub/security/AST-2012-014.html
http://downloads.digium.com/pub/security/AST-2012-015.html
https://www.asterisk.org/security
03159886-a8a3-11e3-8f36-0025905a4771asterisk -- multiple vulnerabilities

The Asterisk project reports:

Stack Overflow in HTTP Processing of Cookie Headers. Sending a HTTP request that is handled by Asterisk with a large number of Cookie headers could overflow the stack. You could even exhaust memory if you sent an unlimited number of headers in the request.

Denial of Service Through File Descriptor Exhaustion with chan_sip Session-Timers. An attacker can use all available file descriptors using SIP INVITE requests. Asterisk will respond with code 400, 420, or 422 for INVITEs meeting this criteria. Each INVITE meeting these conditions will leak a channel and several file descriptors. The file descriptors cannot be released without restarting Asterisk which may allow intrusion detection systems to be bypassed by sending the requests slowly.

Remote Crash Vulnerability in PJSIP channel driver. A remotely exploitable crash vulnerability exists in the PJSIP channel driver if the "qualify_frequency" configuration option is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request. The response handling code wrongly assumes that a PJSIP endpoint will always be associated with an outgoing request which is incorrect.


Discovery 2014-03-10
Entry 2014-03-10
asterisk11
< 11.8.1

asterisk18
< 1.8.26.1

CVE-2014-2286
CVE-2014-2287
CVE-2014-2288
http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
http://downloads.asterisk.org/pub/security/AST-2014-003.pdf
https://www.asterisk.org/security
4c53f007-f2ed-11e1-a215-14dae9ebcf89asterisk -- multiple vulnerabilities

Asterisk project reports:

Asterisk Manager User Unauthorized Shell Access

ACL rules ignored when placing outbound calls by certain IAX2 users


Discovery 2012-08-30
Entry 2012-08-30
asterisk
gt 10.* lt 10.7.1

asterisk18
gt 1.8.* lt 1.8.15.1

CVE-2012-2186
CVE-2012-4737
http://downloads.digium.com/pub/security/AST-2012-012.html
http://downloads.digium.com/pub/security/AST-2012-013.html
https://www.asterisk.org/security
972fe546-1fb6-11eb-b9d4-001999f8d30basterisk -- Remote crash in res_pjsip_session

The Asterisk project reports:

Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending upon some off nominal circumstances, and timing it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects were de-referenced, or accessed next by the initial creation thread.


Discovery 2020-11-05
Entry 2020-11-05
asterisk13
< 13.37.1

asterisk16
< 16.14.1

asterisk18
< 18.0.1

https://downloads.asterisk.org/pub/security/AST-2020-001.html
4c1ac2dd-c788-11e1-be25-14dae9ebcf89asterisk -- multiple vulnerabilities

Asterisk project reports:

Possible resource leak on uncompleted re-invite transactions.

Remote crash vulnerability in voice mail application.


Discovery 2012-07-05
Entry 2012-07-06
Modified 2012-08-30
asterisk
gt 10.* lt 10.5.2

asterisk18
gt 1.8.* lt 1.8.13.1

CVE-2012-3812
http://downloads.digium.com/pub/security/AST-2012-010.html
http://downloads.digium.com/pub/security/AST-2012-011.html
https://www.asterisk.org/security
53fbffe6-ebf7-11eb-aef1-0897988a1c07asterisk -- pjproject/pjsip: crash when SSL socket destroyed during handshake

The Asterisk project reports:

Depending on the timing, it's possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.


Discovery 2021-05-05
Entry 2021-07-23
asterisk13
< 13.38.3

asterisk16
< 16.19.1

asterisk18
< 18.5.1

CVE-2021-32686
https://downloads.asterisk.org/pub/security/AST-2021-009.html
6adf6ce0-44a6-11eb-95b7-001999f8d30basterisk -- Remote crash in res_pjsip_diversion

The Asterisk project reports:

AST-2020-003: A crash can occur in Asterisk when a SIP message is received that has a History-Info header, which contains a tel-uri.

AST-2020-004: A crash can occur in Asterisk when a SIP 181 response is received that has a Diversion header, which contains a tel-uri.


Discovery 2020-12-02
Entry 2020-12-22
asterisk13
< 13.38.1

asterisk16
< 16.15.1

asterisk18
< 18.1.1

https://downloads.asterisk.org/pub/security/AST-2020-003.html
https://downloads.asterisk.org/pub/security/AST-2020-004.html
29b7f0be-1fb7-11eb-b9d4-001999f8d30basterisk -- Outbound INVITE loop on challenge with different nonce

The Asterisk project reports:

If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.


Discovery 2020-11-05
Entry 2020-11-05
asterisk13
< 13.37.1

asterisk16
< 16.14.1

asterisk18
< 18.0.1

https://downloads.asterisk.org/pub/security/AST-2020-002.html
1c5abbe2-8d7f-11e1-a374-14dae9ebcf89asterisk -- multiple vulnerabilities

Asterisk project reports:

Remote Crash Vulnerability in SIP Channel Driver

Heap Buffer Overflow in Skinny Channel Driver

Asterisk Manager User Unauthorized Shell Access


Discovery 2012-04-23
Entry 2012-04-23
asterisk16
gt 1.6.* lt 1.6.2.24

asterisk18
gt 1.8.* lt 1.8.11.1

asterisk10
gt 10.* lt 10.3.1

http://downloads.digium.com/pub/security/AST-2012-004.html
CVE-2012-2414
http://downloads.digium.com/pub/security/AST-2012-005.html
CVE-2012-2415
http://downloads.digium.com/pub/security/AST-2012-006.html
CVE-2012-2416
9e8f0766-7d21-11eb-a2be-001999f8d30basterisk -- Crash when negotiating T.38 with a zero port

The Asterisk project reports:

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.


Discovery 2021-02-20
Entry 2021-03-04
asterisk16
< 16.16.2

asterisk18
< 18.2.2

CVE-2019-15297
https://downloads.asterisk.org/pub/security/AST-2021-006.html
1bb2826b-7229-11eb-8386-001999f8d30basterisk -- Remote Crash Vulnerability in PJSIP channel driver

The Asterisk project reports:

Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur.


Discovery 2021-02-08
Entry 2021-02-18
asterisk13
< 13.38.2

asterisk16
< 16.16.1

asterisk18
< 18.2.1

CVE-2021-26906
https://downloads.asterisk.org/pub/security/AST-2021-005.html
0c39bafc-6771-11e3-868f-0025905a4771asterisk -- multiple vulnerabilities

The Asterisk project reports:

A 16 bit SMS message that contains an odd message length value will cause the message decoding loop to run forever. The message buffer is not on the stack but will be overflowed resulting in corrupted memory and an immediate crash.

External control protocols, such as the Asterisk Manager Interface, often have the ability to get and set channel variables; this allows the execution of dialplan functions. Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation.


Discovery 2013-12-16
Entry 2013-12-17
asterisk10
< 10.12.4

asterisk11
< 11.6.1

asterisk18
< 1.8.24.1

CVE-2013-7100
http://downloads.asterisk.org/pub/security/AST-2013-006.pdf
http://downloads.asterisk.org/pub/security/AST-2013-007.pdf
https://www.asterisk.org/security
a5de43ed-bc49-11ec-b516-0897988a1c07Asterisk -- func_odbc: Possible SQL Injection

The Asterisk project reports:

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.


Discovery 2022-04-14
Entry 2022-04-14
asterisk16
< 16.25.2

asterisk18
< 18.11.2

CVE-2022-26651
https://downloads.asterisk.org/pub/security/AST-2022-003.html
fb3455be-ebf6-11eb-aef1-0897988a1c07asterisk -- Remote crash when using IAX2 channel driver

The Asterisk project reports:

If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk.


Discovery 2021-04-13
Entry 2021-07-23
asterisk13
< 13.38.3

asterisk16
< 16.19.1

asterisk18
< 18.5.1

CVE-2021-32558
https://downloads.asterisk.org/pub/security/AST-2021-008.html
8838abf0-bc47-11ec-b516-0897988a1c07Asterisk -- multiple vulnerabilities

The Asterisk project reports:

AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download.

AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header.


Discovery 2022-04-14
Entry 2022-04-14
asterisk16
gt 16.15.0 lt 16.25.2

asterisk18
< 18.11.2

CVE-2022-26498
https://downloads.asterisk.org/pub/security/AST-2022-001.html
CVE-2022-26499
https://downloads.asterisk.org/pub/security/AST-2022-002.html
daf0a339-9850-11e2-879e-d43d7e0c7c02asterisk -- multiple vulnerabilities

Asterisk project reports:

Buffer Overflow Exploit Through SIP SDP Header

Username disclosure in SIP channel driver

Denial of Service in HTTP server


Discovery 2013-03-27
Entry 2013-03-29
asterisk11
gt 11.* lt 11.2.2

asterisk10
gt 10.* lt 10.12.2

asterisk18
gt 1.8.* lt 1.8.20.2

CVE-2013-2685
CVE-2013-2686
CVE-2013-2264
http://downloads.asterisk.org/pub/security/AST-2013-001.html
http://downloads.asterisk.org/pub/security/AST-2013-002.html
http://downloads.asterisk.org/pub/security/AST-2013-003.html
https://www.asterisk.org/security
fd2bf3b5-1001-11e3-ba94-0025905a4771asterisk -- multiple vulnerabilities

The Asterisk project reports:

Remote Crash From Late Arriving SIP ACK With SDP

Remote Crash when Invalid SDP is sent in SIP Request


Discovery 2013-08-27
Entry 2013-08-28
Modified 2013-08-29
asterisk11
gt 11.* lt 11.5.1

asterisk10
gt 10.* lt 10.12.3

asterisk18
gt 1.8.* lt 1.8.21.1

CVE-2013-5641
CVE-2013-5642
http://downloads.asterisk.org/pub/security/AST-2013-004.html
http://downloads.asterisk.org/pub/security/AST-2013-005.html
https://www.asterisk.org/security
f109b02f-f5a4-11e3-82e9-00a098b18457asterisk -- multiple vulnerabilities

The Asterisk project reports:

Asterisk Manager User Unauthorized Shell Access. Manager users can execute arbitrary shell commands with the MixMonitor manager action. Asterisk does not require system class authorization for a manager user to use the MixMonitor action, so any manager user who is permitted to use manager commands can potentially execute shell commands as the user executing the Asterisk process.

Exhaustion of Allowed Concurrent HTTP Connections. Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked.


Discovery 2014-06-12
Entry 2014-06-17
asterisk11
< 11.10.1

asterisk18
< 1.8.28.1

CVE-2014-4046
CVE-2014-4047
http://downloads.asterisk.org/pub/security/AST-2014-006.pdf
http://downloads.asterisk.org/pub/security/AST-2014-007.pdf
https://www.asterisk.org/security