FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
e3894955-7227-11eb-8386-001999f8d30basterisk -- Remote crash possible when negotiating T.38

The Asterisk project reports:

When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash.


Discovery 2021-02-05
Entry 2021-02-18
asterisk16
ge 16.15.0 lt 16.16.1

asterisk18
ge 18.1.0 lt 18.2.1

CVE-2021-26717
https://downloads.asterisk.org/pub/security/AST-2021-002.html
964c5460-9c66-11ec-ad3a-001999f8d30basterisk -- multiple vulnerabilities

The Asterisk project reports:

AST-2022-004 - The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.

AST-2022-005 - When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc) after a dialog set is prematurely freed.

AST-2022-006 - If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, its currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.


Discovery 2022-03-03
Entry 2022-03-05
asterisk16
< 16.24.1

asterisk18
< 18.10.1

CVE-2021-37706
CVE-2022-23608
CVE-2022-21723
https://downloads.asterisk.org/pub/security/AST-2022-004.html
https://downloads.asterisk.org/pub/security/AST-2022-005.html
https://downloads.asterisk.org/pub/security/AST-2022-006.html
9e8f0766-7d21-11eb-a2be-001999f8d30basterisk -- Crash when negotiating T.38 with a zero port

The Asterisk project reports:

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.


Discovery 2021-02-20
Entry 2021-03-04
asterisk16
< 16.16.2

asterisk18
< 18.2.2

CVE-2019-15297
https://downloads.asterisk.org/pub/security/AST-2021-006.html
b330db5f-7225-11eb-8386-001999f8d30basterisk -- Remote crash in res_pjsip_diversion

The Asterisk project reports:

If a registered user is tricked into dialing a malicious number that sends lots of 181 responses to Asterisk, each one will cause a 181 to be sent back to the original caller with an increasing number of entries in the "Supported" header. Eventually the number of entries in the header exceeds the size of the entry array and causes a crash.


Discovery 2021-01-04
Entry 2021-02-18
asterisk13
ge 13.38.1 lt 13.38.2

asterisk16
ge 16.15.1 lt 16.16.1

asterisk18
ge 18.1.1 lt 18.2.1

CVE-2020-35776
https://downloads.asterisk.org/pub/security/AST-2021-001.html
fb3455be-ebf6-11eb-aef1-0897988a1c07asterisk -- Remote crash when using IAX2 channel driver

The Asterisk project reports:

If the IAX2 channel driver receives a packet that contains an unsupported media format it can cause a crash to occur in Asterisk.


Discovery 2021-04-13
Entry 2021-07-23
asterisk13
< 13.38.3

asterisk16
< 16.19.1

asterisk18
< 18.5.1

CVE-2021-32558
https://downloads.asterisk.org/pub/security/AST-2021-008.html
1bb2826b-7229-11eb-8386-001999f8d30basterisk -- Remote Crash Vulnerability in PJSIP channel driver

The Asterisk project reports:

Given a scenario where an outgoing call is placed from Asterisk to a remote SIP server it is possible for a crash to occur.


Discovery 2021-02-08
Entry 2021-02-18
asterisk13
< 13.38.2

asterisk16
< 16.16.1

asterisk18
< 18.2.1

CVE-2021-26906
https://downloads.asterisk.org/pub/security/AST-2021-005.html
53fbffe6-ebf7-11eb-aef1-0897988a1c07asterisk -- pjproject/pjsip: crash when SSL socket destroyed during handshake

The Asterisk project reports:

Depending on the timing, it's possible for Asterisk to crash when using a TLS connection if the underlying socket parent/listener gets destroyed during the handshake.


Discovery 2021-05-05
Entry 2021-07-23
asterisk13
< 13.38.3

asterisk16
< 16.19.1

asterisk18
< 18.5.1

CVE-2021-32686
https://downloads.asterisk.org/pub/security/AST-2021-009.html
a5de43ed-bc49-11ec-b516-0897988a1c07Asterisk -- func_odbc: Possible SQL Injection

The Asterisk project reports:

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.


Discovery 2022-04-14
Entry 2022-04-14
asterisk16
< 16.25.2

asterisk18
< 18.11.2

CVE-2022-26651
https://downloads.asterisk.org/pub/security/AST-2022-003.html
8838abf0-bc47-11ec-b516-0897988a1c07Asterisk -- multiple vulnerabilities

The Asterisk project reports:

AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download.

AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header.


Discovery 2022-04-14
Entry 2022-04-14
asterisk16
gt 16.15.0 lt 16.25.2

asterisk18
< 18.11.2

CVE-2022-26498
https://downloads.asterisk.org/pub/security/AST-2022-001.html
CVE-2022-26499
https://downloads.asterisk.org/pub/security/AST-2022-002.html
ca21f5e7-7228-11eb-8386-001999f8d30basterisk -- An unsuspecting user could crash Asterisk with multiple hold/unhold requests

The Asterisk project reports:

Due to a signedness comparison mismatch, an authenticated WebRTC client could cause a stack overflow and Asterisk crash by sending multiple hold/unhold requests in quick succession.


Discovery 2021-02-11
Entry 2021-02-18
asterisk16
ge 16.16.0 lt 16.16.1

asterisk18
ge 18.2.0 lt 18.2.1

CVE-2021-26714
https://downloads.asterisk.org/pub/security/AST-2021-004.html
5d8ef725-7228-11eb-8386-001999f8d30basterisk -- Remote attacker could prematurely tear down SRTP calls

The Asterisk project reports:

An unauthenticated remote attacker could replay SRTP packets which could cause an Asterisk instance configured without strict RTP validation to tear down calls prematurely.


Discovery 2021-02-18
Entry 2021-02-18
asterisk13
ge 13.38.1 lt 13.38.2

asterisk16
ge 16.16.0 lt 16.16.1

asterisk18
ge 18.2.0 lt 18.2.1

CVE-2021-26712
https://downloads.asterisk.org/pub/security/AST-2021-003.html