CVE-2022-26498

NameCVE-2022-26498
DescriptionAn issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)stretch1:13.14.1~dfsg-2+deb9u4vulnerable
stretch (security)1:13.14.1~dfsg-2+deb9u6vulnerable
buster1:16.2.1~dfsg-1+deb10u2vulnerable
bullseye1:16.16.1~dfsg-1vulnerable
bullseye (security)1:16.16.1~dfsg-1+deb11u1vulnerable
bookworm, sid1:18.12.0~dfsg+~cs6.12.40431413-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:18.11.2~dfsg+~cs6.10.40431413-1

Notes

https://issues.asterisk.org/jira/browse/ASTERISK-29872
https://downloads.asterisk.org/pub/security/AST-2022-001.html

Search for package or bug name: Reporting problems