| Package | asterisk |
|---|---|
| Version | 1:13.14.1~dfsg-2+deb9u9 (stretch) |
| Related CVEs | CVE-2023-37457 CVE-2023-49294 |
Two security vulnerabilities were discovered in Asterisk, a private branch exchange.
CVE-2023-37457
The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
the available buffer space for storing the new value of a header. By doing
so this can overwrite memory or cause a crash. This is not externally
exploitable, unless dialplan is explicitly written to update a header based
on data from an outside source. If the 'update' functionality is not used
the vulnerability does not occur.
CVE-2023-49294
It is possible to read any arbitrary file even when the `live_dangerously`
option is not enabled.
For Debian 9 stretch, these problems have been fixed in version 1:13.14.1~dfsg-2+deb9u9.
We recommend that you upgrade your asterisk packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.