CVE-2021-26717

NameCVE-2021-26717
DescriptionAn issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then Asterisk would crash.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs983157

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)stretch (security), stretch1:13.14.1~dfsg-2+deb9u4fixed
buster1:16.2.1~dfsg-1+deb10u2fixed
bullseye1:16.15.1~dfsg-1vulnerable
sid1:16.16.1~dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksourcestretch(not affected)
asterisksourcebuster(not affected)
asterisksource(unstable)1:16.16.1~dfsg-1983157

Notes

[buster] - asterisk <not-affected> (Introduced in 16.15.0)
[stretch] - asterisk <not-affected> (Introduced in 16.15.0)
https://downloads.asterisk.org/pub/security/AST-2021-002.html

Search for package or bug name: Reporting problems