An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point. Upstream bug: https://issues.asterisk.org/jira/browse/ASTERISK-27480 References: https://issues.asterisk.org/jira/secure/attachment/56540/AST-2017-014.pdf
Created asterisk tracking bugs for this issue: Affects: epel-6 [bug 1529151] Affects: fedora-all [bug 1529152]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.