CVE-2022-24763

Name	CVE-2022-24763
Description	PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3036-1, DLA-3194-1, DLA-3549-1, DLA-3887-1, DSA-5285-1
Debian Bugs	1014976, 1014998

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
asterisk (PTS)	bullseye	1:16.28.0~dfsg-0+deb11u4	fixed
	bullseye (security)	1:16.28.0~dfsg-0+deb11u5	fixed
	sid	1:22.0.0~dfsg+~cs6.14.60671435-1	fixed
ring (PTS)	bullseye	20210112.2.b757bac~ds1-1	vulnerable
	bullseye (security)	20210112.2.b757bac~ds1-1+deb11u1	fixed
	bookworm	20230206.0~ds2-1.1	fixed
	sid	20231201.0~ds1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
asterisk	source	stretch	(not affected)
asterisk	source	buster	1:16.28.0~dfsg-0+deb10u1	DLA-3194-1
asterisk	source	bullseye	1:16.28.0~dfsg-0+deb11u1	DSA-5285-1
asterisk	source	(unstable)	1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1		1014976
pjproject	source	stretch	2.5.5~dfsg-6+deb9u5	DLA-3036-1
pjproject	source	(unstable)	(unfixed)
ring	source	buster	20190215.1.f152c98~ds1-1+deb10u2	DLA-3549-1
ring	source	bullseye	20210112.2.b757bac~ds1-1+deb11u1	DLA-3887-1
ring	source	(unstable)	20230206.0~ds1-1		1014998

Notes

[stretch] - asterisk <not-affected> (Vulnerable code not present)
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21