FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- Remote crash possible when negotiating T.38

Affected packages
16.15.0 <= asterisk16 < 16.16.1
18.1.0 <= asterisk18 < 18.2.1

Details

VuXML ID e3894955-7227-11eb-8386-001999f8d30b
Discovery 2021-02-05
Entry 2021-02-18

The Asterisk project reports:

When re-negotiating for T.38 if the initial remote response was delayed just enough Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream then Asterisk would crash.

References

CVE Name CVE-2021-26717
URL https://downloads.asterisk.org/pub/security/AST-2021-002.html