Alpine: asterisk: security update to 16.14.1-r0

medium Tenable Self-Hosted Container Security Plugin ID 403578

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1,
17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new
SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the
creation of the dialog object, and its next use by the thread that created it. Depending on some off-
nominal circumstances and timing, it was possible for another thread to free said dialog in this gap.
Asterisk could then crash when the dialog object, or any of its dependent objects, were dereferenced or
accessed next by the initial-creation thread. Note, however, that this crash can only occur when using a
connection-oriented protocol (e.g., TCP or TLS, but not UDP) for SIP transport. Also, the remote client
must be authenticated, or Asterisk must be configured for anonymous calling. (CVE-2020-28327)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-28327

Plugin Details

Severity: Medium

ID: 403578

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/12/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2020-28327

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/6/2020

Reference Information

CVE: CVE-2020-28327