CVE-2023-27585 (PJSIP DNS resolver)

TheNextDay · April 19, 2023, 11:17am

Hello,
I stumbled upon NVD - CVE-2023-27585 and I am not sure how dangerous this thing is and how much my current 18.15.1 with bundled PJSIP 2.12.1 is affected.

The advisory says “It doesn’t affect PJSIP users who do not utilise PJSIP DNS resolver” and " A workaround is to disable DNS resolution in PJSIP config". But I am not sure if PJSIP DNS resolver is in use (I don’t use dnsmgr if that’s the case) nor how to disable it.

Thanks for any clarification.

jcolp · April 19, 2023, 11:22am

We don’t use the PJSIP DNS resolver. We use our own. The external resolver support actually came from us.

TheNextDay · April 19, 2023, 11:40am

Hi Joshua,

Thank you so much for the quick reply.

Since it is no asterisk problem then it’s sad that debian filed an asterisk vulnerability for that https://security-tracker.debian.org/tracker/CVE-2023-27585

system · May 19, 2023, 11:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.