Security advisory: ProCall Enterprise XMPP Federation and ECSTA for SIP phones

Description

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a non-zero XML_CONTEXT_BYTES.

Affected versions

This vulnerability affects all previously released versions of ProCall 7 Enterprise, ProCall 6 Enterprise and ECSTA for SIP phones

• ProCall Enterprise: 7.0, 7.1, 7.2, 7.3 (all sub-versions)
• ProCall Enterprise: 6.0, 6.1, 6.2, 6.3, 6.4 (all sub-versions)
• ProCall 5 Enterprise
• ECSTA for SIP phones: 6 (all sub-versions)
• ECSTA for SIP Phones: 5 (all sub-versions)

Versions with bug fixes

estos is preparing updates with fixes for the vulnerability. Customers and partners can then obtain the updates via the known channels and follow the normal update process:

• ProCall Enterprise 7.3.5, release available: ProCall 7.3.5 Enterprise Release Notes
• ProCall Enterprise 6.4.24
• ECSTA for SIP Phones 6.0.8, release available: ECSTA 6.0.8 Release Notes

No solution available

It is recommended to stop using the affected component (uaCSTA server, XMPP federation or XMPP proxy) publicly on the internet or to upgrade to a current version. Please contact your partner about this.

• ProCall 5 Enterprise
• ECSTA for SIP Phones 5

End-of-life

Please note the following: If you are using older estos product versions that are no longer supported (End-of-Life has been reached), we strongly recommend updating your software to the current versions for security reasons.
This is because security patches are only regularly developed and made available for current software versions.