Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2146 resiprocate security update 25 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: resiprocate Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-12584 CVE-2017-11521 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1439-1 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running resiprocate check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : resiprocate Version : 1:1.9.7-5+deb8u1 CVE ID : CVE-2017-11521 CVE-2018-12584 CVE-2018-12584 A flaw in function ConnectionBase::preparseNewBytes of resip/stack/ConnectionBase.cxx has been detected, that allows remote attackers to cause a denial of service (buffer overflow) or possibly execute arbitrary code when TLS communication is enabled. CVE-2017-11521 A flaw in function SdpContents::Session::Medium::parse of resip/stack/SdpContents.cxx has been detected, that allows remote attackers to cause a denial of service (memory consumption) by triggering many media connections. For Debian 8 "Jessie", these problems have been fixed in version 1:1.9.7-5+deb8u1. We recommend that you upgrade your resiprocate packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJbV4hrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH+rYQAJmk3PjG2lgKSqa484D3szvS tPc9rduMHF0uXn/1yqwde+oWM7zg0W5aa4h4hR4eYaBUGYN0uDux1DjmjEmivZO1 bR4LXtpYOoXX92cNKsfJ+FQghTuugziT0hHKjwRbKpeTd3URAmB6CHFeuypwwDUP 8g3fa1bGBRwAqkIPgIGmOwrRjiF7QcqhIDLtP1EdccFfE2xaZPvTnw7rKN8WJ1I/ Sef6uQbnyarkYNs8zsz4quEAtKMr75+qCBZQe7VAXCewT5bZUk4zw1GtGgXMXHjZ tY6angq9R2rFLgM+rh8tRSlrt+dYliyqEO9YZ2CsB3ZmzhUtsOcaQzaG/1kQwAzE Gh9ughPURm3aA8XhQeYEfw4PEZsf95sfMvIB24mhzTAi+brYsGwYe0UxfJlsI+bT 6tNf7vjpb+AXXyi0II13KhPhv88lJjSTUx/DzM34chbPdAOGlEyoREnUGe5vPV87 SvsX1uPD4fBERvsPQi2ZyQqp/cZR9dlxXyzUdg8Iduk8Qo494HBg0DrUKjmqBdrD fWHWLd07ZV7e8+Z44IPfGGpAux+lJIwmOouyP+hXUlaszdy2JyiLK+HN1TVlL576 5CqwGqIZP/cCsaWlZK7xVgWAkAIvv57e1c0/t74+iFQgRo52QwNK/5DdXT9kV4zl GFkZ5013wb5LHOg0zd25 =YNnK - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW1fsEWaOgq3Tt24GAQjAgg//UEYduNJyboBe99al14OwTZ+va1Sq0NTx nj5b2uMKypI2iiDnk6XiTvitcc6eiUCn5F2DIlCdOT8PJ5IyTrAhQtRaPIwnUkkX G0+vwSp1RAjUxSxZlaOSfd4YGdvDhicJ93pTtE6HhSLYduRJm7bOyenSxZJpKP18 mIP+coypSJA8BGpIJIumxUcKuCZXT8GUmSWDwKcvHYzFFpCU4/NBPnLIKU1f8MOW GNj9aaEtbFCQRVvzJnkhLAiAj86707Bq7WKv9O2Kr3d1mEjBiuEd8knVbNjjqqFL WUKmOwNQPs/IB3fveoRWKnYxVa22kAXpmel+aC7ruukXO4WisEmVkdfthDyx6Ohu I2ZhWhw+SK0epRGnerDa4iZ8H/kwJgDuD6I6OmKXJKw4kLhvs0Ay0hENTCfTcaGo XqCTtXN3LtLBY/y55oinmXI25lBLJ3oQsp1/URqevkmyqnn1IK33F0ke2kt0x5Gn TuXYQtEq1KRnb6NCGpePpXEg7Isnkg05fn3CwlDNo+9EQV48m2EeECdFvDDwS7oi LtxZf+YBz/TdOJ++jLFwCcmyoSMTcY7KGnrlvZqL2vC9YpceshvLkTYFspdEmnS/ ZIMm8hZlSzc4lBZp1/n2VPjDb/AH5y3rsiu1+okZV/EjIZ6TJvwU/9jEbgDCoGEt tS5WNzGv23U= =dc0Z -----END PGP SIGNATURE-----