Releases: asterisk/asterisk
Asterisk Release 23.0.0-rc1
The Asterisk Development Team would like to announce
release candidate 1 of asterisk-23.0.0.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.0.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 23.0.0-rc1
This release resolves issues reported by the community
and would have not been possible without your participation.
Thank You!
Change Log for Release asterisk-23.0.0-rc1
Links:
Summary:
- Commits: 41
- Commit Authors: 13
- Issues Resolved: 32
- Security Advisories Resolved: 1
- GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
User Notes:
-
app_queue.c: Add new global 'log_unpause_on_reason_change'
Add new global option 'log_unpause_on_reason_change' that
is default disabled. When enabled cause addition of UNPAUSE event on
every re-PAUSE with reason changed. -
pbx_builtins: Allow custom tone for WaitExten.
The tone used while waiting for digits in WaitExten
can now be overridden by specifying an argument for the 'd'
option. -
res_tonedetect: Add option for TONE_DETECT detection to auto stop.
The 'e' option for TONE_DETECT now allows detection to
be disabled automatically once the desired number of matches have
been fulfilled, which can help prevent race conditions in the
dialplan, since TONE_DETECT does not need to be disabled after
a hit. -
sorcery: Prevent duplicate objects and ensure missing objects are created on u..
Users relying on Sorcery multiple writable backends configurations
(e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
in sorcery.conf to ensure missing objects are recreated after temporary backend
failures. Default behavior remains unchanged unless explicitly enabled. -
chan_websocket: Allow additional URI parameters to be added to the outgoing URI.
A new WebSocket channel driver option
vhas been added to the
Dial application that allows you to specify additional URI parameters on
outgoing connections. Runcore show application Dialfrom the Asterisk CLI
to see how to use it. -
app_chanspy: Add option to not automatically answer channel.
ChanSpy and ExtenSpy can now be configured to not
automatically answer the channel by using the 'N' option.
Upgrade Notes:
-
config.c Make ast_variable_update update last match.
Config variables, when set/updated, such as via AMI,
will now have the corresponding setting updated, even if their
sections inherit from template sections. -
config.c: Make ast_variable_retrieve return last match.
Config variables retrieved explicitly by name now return
the most recently overriding value as opposed to the base value (e.g.
from a template). This is equivalent to retrieving a config setting
using the -1 index to the AST_CONFIG function. The major implication of
this is that modules processing configs by explicitly retrieving variables
by name will now get the effective value of a variable as overridden in
a config rather than the first-set value (from a template), which is
consistent with how other modules load config settings. -
users.conf: Remove deprecated users.conf integration.
users.conf has been removed and all channel drivers must
be configured using their specific configuration files. The functionality
previously in users.conf for res_phoneprov is now in phoneprov_users.conf. -
res_agi: Remove deprecated DeadAGI application.
The DeadAGI application, which was
deprecated in Asterisk 15, has now been removed.
The same functionality is available in the AGI app. -
res_musiconhold: Remove options that were deprecated in Asterisk 14.
The deprecated random and application=r options have
been removed; use sort=random instead. -
app_voicemail: Remove deprecated options.
The deprecated maxmessage and minmessage options
have been removed; use maxsecs and minsecs instead.
The deprecated 'cz' language has also been removed; use 'cs' instead. -
app_queue: Remove redundant/deprecated function.
The deprecated QUEUE_MEMBER_COUNT function
has been removed; use QUEUE_MEMBER(,logged) instead. -
cli.c: Remove deprecated and redundant CLI command.
The deprecated "no debug channel" command has
now been removed; use "core set debug channel" instead. -
logger.c: Remove deprecated/redundant configuration option.
The deprecated rotatetimestamp option has been removed.
Use rotatestrategy instead. -
func_dialplan: Remove deprecated/redundant function.
The deprecated VALID_EXTEN function has been removed.
Use DIALPLAN_EXISTS instead.
Developer Notes:
-
ARI: Add command to indicate progress to a channel
A new ARI endpoint is available at/channels/{channelId}/progressto indicate progress to a channel.
Commit Authors:
- Alexei Gradinari: (1)
- Alexey Khabulyak: (1)
- Artem Umerov: (1)
- Ben Ford: (2)
- George Joseph: (4)
- Igor Goncharovsky: (2)
- Joe Garlick: (1)
- Jose Lopes: (1)
- Mike Bradeen: (1)
- Naveen Albert: (23)
- Sean Bright: (2)
- Stuart Henderson: (1)
- Sven Kube: (1)
Asterisk Release 22.6.0-rc1
The Asterisk Development Team would like to announce
release candidate 1 of asterisk-22.6.0.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.6.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 22.6.0-rc1
This release resolves issues reported by the community
and would have not been possible without your participation.
Thank You!
Change Log for Release asterisk-22.6.0-rc1
Links:
Summary:
- Commits: 51
- Commit Authors: 22
- Issues Resolved: 37
- Security Advisories Resolved: 0
User Notes:
-
app_queue.c: Add new global 'log_unpause_on_reason_change'
Add new global option 'log_unpause_on_reason_change' that
is default disabled. When enabled cause addition of UNPAUSE event on
every re-PAUSE with reason changed. -
pbx_builtins: Allow custom tone for WaitExten.
The tone used while waiting for digits in WaitExten
can now be overridden by specifying an argument for the 'd'
option. -
res_tonedetect: Add option for TONE_DETECT detection to auto stop.
The 'e' option for TONE_DETECT now allows detection to
be disabled automatically once the desired number of matches have
been fulfilled, which can help prevent race conditions in the
dialplan, since TONE_DETECT does not need to be disabled after
a hit. -
sorcery: Prevent duplicate objects and ensure missing objects are created on u..
Users relying on Sorcery multiple writable backends configurations
(e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
in sorcery.conf to ensure missing objects are recreated after temporary backend
failures. Default behavior remains unchanged unless explicitly enabled. -
chan_websocket: Allow additional URI parameters to be added to the outgoing URI.
A new WebSocket channel driver option
vhas been added to the
Dial application that allows you to specify additional URI parameters on
outgoing connections. Runcore show application Dialfrom the Asterisk CLI
to see how to use it. -
app_chanspy: Add option to not automatically answer channel.
ChanSpy and ExtenSpy can now be configured to not
automatically answer the channel by using the 'N' option. -
cel: Add STREAM_BEGIN, STREAM_END and DTMF event types.
Enabling the tracking of the
STREAM_BEGIN and the STREAM_END event
types in cel.conf will log media files and
music on hold played to each channel.
The STREAM_BEGIN event's extra field will
contain a JSON with the file details (path,
format and language), or the class name, in
case of music on hold is played. The DTMF
event's extra field will contain a JSON with
the digit and the duration in milliseconds. -
res_srtp: Add menuselect options to enable AES_192, AES_256 and AES_GCM
Options are now available in the menuselect "Resource Modules"
category that allow you to enable the AES_192, AES_256 and AES_GCM
cipher suites in res_srtp. Of course, libsrtp and OpenSSL must support
them but modern versions do. Previously, the only way to enable them was
to set the CFLAGS environment variable when running ./configure.
The default setting is to disable them preserving existing behavior. -
cdr: add CANCEL dispostion in CDR
A new CDR option "canceldispositionenabled" has been added
that when set to true, the NO ANSWER disposition will be split into
two dispositions: CANCEL and NO ANSWER. The default value is 'no' -
func_curl: Allow auth methods to be set.
The httpauth field in CURLOPT now allows the authentication
methods to be set. -
Media over Websocket Channel Driver
A new channel driver "chan_websocket" is now available. It can
exchange media over both inbound and outbound websockets and will both frame
and re-time the media it receives.
See http://s.asterisk.net/mow for more information.
The ARI channels/externalMedia API now includes support for the
Upgrade Notes:
Developer Notes:
-
ARI: Add command to indicate progress to a channel
A new ARI endpoint is available at
/channels/{channelId}/progressto indicate progress to a channel. -
options: Change ast_options from ast_flags to ast_flags64.
The 32-bit ast_options has no room left to accomodate new
options and so has been converted to an ast_flags64 structure. All internal
references to ast_options have been updated to use the 64-bit flag
manipulation macros. External module references to the 32-bit ast_options
should continue to work on little-endian systems because the
least-significant bytes of a 64 bit integer will be in the same location as a
32-bit integer. Because that's not the case on big-endian systems, we've
swapped the bytes in the flags manupulation macros on big-endian systems
so external modules should still work however you are encouraged to test.
Commit Authors:
- Alexei Gradinari: (2)
- Alexey Khabulyak: (2)
- Allan Nathanson: (1)
- Artem Umerov: (1)
- Ben Ford: (1)
- George Joseph: (9)
- Igor Goncharovsky: (2)
- Jaco Kroon: (1)
- Joe Garlick: (1)
- Jose Lopes: (1)
- Kodokaii: (1)
- Martin Tomec: (1)
- Mike Bradeen: (1)
- Mkmer: (1)
- Naveen Albert: (15)
- Sean Bright: (2)
- Sperl Viktor: (2)
- Stanislav Abramenkov: (1)
- Stuart Henderson: (1)
- Sven Kube: (2)
- Tinet-Mucw: (2)
- Zhou_jiajian: (1)
Asterisk Release 21.11.0-rc1
The Asterisk Development Team would like to announce
release candidate 1 of asterisk-21.11.0.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.11.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 21.11.0-rc1
This release resolves issues reported by the community
and would have not been possible without your participation.
Thank You!
Change Log for Release asterisk-21.11.0-rc1
Links:
Summary:
- Commits: 51
- Commit Authors: 22
- Issues Resolved: 37
- Security Advisories Resolved: 0
User Notes:
-
app_queue.c: Add new global 'log_unpause_on_reason_change'
Add new global option 'log_unpause_on_reason_change' that
is default disabled. When enabled cause addition of UNPAUSE event on
every re-PAUSE with reason changed. -
pbx_builtins: Allow custom tone for WaitExten.
The tone used while waiting for digits in WaitExten
can now be overridden by specifying an argument for the 'd'
option. -
res_tonedetect: Add option for TONE_DETECT detection to auto stop.
The 'e' option for TONE_DETECT now allows detection to
be disabled automatically once the desired number of matches have
been fulfilled, which can help prevent race conditions in the
dialplan, since TONE_DETECT does not need to be disabled after
a hit. -
sorcery: Prevent duplicate objects and ensure missing objects are created on u..
Users relying on Sorcery multiple writable backends configurations
(e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
in sorcery.conf to ensure missing objects are recreated after temporary backend
failures. Default behavior remains unchanged unless explicitly enabled. -
chan_websocket: Allow additional URI parameters to be added to the outgoing URI.
A new WebSocket channel driver option
vhas been added to the
Dial application that allows you to specify additional URI parameters on
outgoing connections. Runcore show application Dialfrom the Asterisk CLI
to see how to use it. -
app_chanspy: Add option to not automatically answer channel.
ChanSpy and ExtenSpy can now be configured to not
automatically answer the channel by using the 'N' option. -
cel: Add STREAM_BEGIN, STREAM_END and DTMF event types.
Enabling the tracking of the
STREAM_BEGIN and the STREAM_END event
types in cel.conf will log media files and
music on hold played to each channel.
The STREAM_BEGIN event's extra field will
contain a JSON with the file details (path,
format and language), or the class name, in
case of music on hold is played. The DTMF
event's extra field will contain a JSON with
the digit and the duration in milliseconds. -
res_srtp: Add menuselect options to enable AES_192, AES_256 and AES_GCM
Options are now available in the menuselect "Resource Modules"
category that allow you to enable the AES_192, AES_256 and AES_GCM
cipher suites in res_srtp. Of course, libsrtp and OpenSSL must support
them but modern versions do. Previously, the only way to enable them was
to set the CFLAGS environment variable when running ./configure.
The default setting is to disable them preserving existing behavior. -
cdr: add CANCEL dispostion in CDR
A new CDR option "canceldispositionenabled" has been added
that when set to true, the NO ANSWER disposition will be split into
two dispositions: CANCEL and NO ANSWER. The default value is 'no' -
func_curl: Allow auth methods to be set.
The httpauth field in CURLOPT now allows the authentication
methods to be set. -
Media over Websocket Channel Driver
A new channel driver "chan_websocket" is now available. It can
exchange media over both inbound and outbound websockets and will both frame
and re-time the media it receives.
See http://s.asterisk.net/mow for more information.
The ARI channels/externalMedia API now includes support for the
Upgrade Notes:
Developer Notes:
-
ARI: Add command to indicate progress to a channel
A new ARI endpoint is available at
/channels/{channelId}/progressto indicate progress to a channel. -
options: Change ast_options from ast_flags to ast_flags64.
The 32-bit ast_options has no room left to accomodate new
options and so has been converted to an ast_flags64 structure. All internal
references to ast_options have been updated to use the 64-bit flag
manipulation macros. External module references to the 32-bit ast_options
should continue to work on little-endian systems because the
least-significant bytes of a 64 bit integer will be in the same location as a
32-bit integer. Because that's not the case on big-endian systems, we've
swapped the bytes in the flags manupulation macros on big-endian systems
so external modules should still work however you are encouraged to test.
Commit Authors:
- Alexei Gradinari: (2)
- Alexey Khabulyak: (2)
- Allan Nathanson: (1)
- Artem Umerov: (1)
- Ben Ford: (1)
- George Joseph: (9)
- Igor Goncharovsky: (2)
- Jaco Kroon: (1)
- Joe Garlick: (1)
- Jose Lopes: (1)
- Kodokaii: (1)
- Martin Tomec: (1)
- Mike Bradeen: (1)
- Mkmer: (1)
- Naveen Albert: (15)
- Sean Bright: (2)
- Sperl Viktor: (2)
- Stanislav Abramenkov: (1)
- Stuart Henderson: (1)
- Sven Kube: (2)
- Tinet-Mucw: (2)
- Zhou_jiajian: (1)
Asterisk Release 20.16.0-rc1
The Asterisk Development Team would like to announce
release candidate 1 of asterisk-20.16.0.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.16.0-rc1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 20.16.0-rc1
This release resolves issues reported by the community
and would have not been possible without your participation.
Thank You!
Change Log for Release asterisk-20.16.0-rc1
Links:
Summary:
- Commits: 51
- Commit Authors: 22
- Issues Resolved: 37
- Security Advisories Resolved: 0
User Notes:
-
app_queue.c: Add new global 'log_unpause_on_reason_change'
Add new global option 'log_unpause_on_reason_change' that
is default disabled. When enabled cause addition of UNPAUSE event on
every re-PAUSE with reason changed. -
pbx_builtins: Allow custom tone for WaitExten.
The tone used while waiting for digits in WaitExten
can now be overridden by specifying an argument for the 'd'
option. -
res_tonedetect: Add option for TONE_DETECT detection to auto stop.
The 'e' option for TONE_DETECT now allows detection to
be disabled automatically once the desired number of matches have
been fulfilled, which can help prevent race conditions in the
dialplan, since TONE_DETECT does not need to be disabled after
a hit. -
sorcery: Prevent duplicate objects and ensure missing objects are created on u..
Users relying on Sorcery multiple writable backends configurations
(e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
in sorcery.conf to ensure missing objects are recreated after temporary backend
failures. Default behavior remains unchanged unless explicitly enabled. -
chan_websocket: Allow additional URI parameters to be added to the outgoing URI.
A new WebSocket channel driver option
vhas been added to the
Dial application that allows you to specify additional URI parameters on
outgoing connections. Runcore show application Dialfrom the Asterisk CLI
to see how to use it. -
app_chanspy: Add option to not automatically answer channel.
ChanSpy and ExtenSpy can now be configured to not
automatically answer the channel by using the 'N' option. -
cel: Add STREAM_BEGIN, STREAM_END and DTMF event types.
Enabling the tracking of the
STREAM_BEGIN and the STREAM_END event
types in cel.conf will log media files and
music on hold played to each channel.
The STREAM_BEGIN event's extra field will
contain a JSON with the file details (path,
format and language), or the class name, in
case of music on hold is played. The DTMF
event's extra field will contain a JSON with
the digit and the duration in milliseconds. -
res_srtp: Add menuselect options to enable AES_192, AES_256 and AES_GCM
Options are now available in the menuselect "Resource Modules"
category that allow you to enable the AES_192, AES_256 and AES_GCM
cipher suites in res_srtp. Of course, libsrtp and OpenSSL must support
them but modern versions do. Previously, the only way to enable them was
to set the CFLAGS environment variable when running ./configure.
The default setting is to disable them preserving existing behavior. -
cdr: add CANCEL dispostion in CDR
A new CDR option "canceldispositionenabled" has been added
that when set to true, the NO ANSWER disposition will be split into
two dispositions: CANCEL and NO ANSWER. The default value is 'no' -
func_curl: Allow auth methods to be set.
The httpauth field in CURLOPT now allows the authentication
methods to be set. -
Media over Websocket Channel Driver
A new channel driver "chan_websocket" is now available. It can
exchange media over both inbound and outbound websockets and will both frame
and re-time the media it receives.
See http://s.asterisk.net/mow for more information.
The ARI channels/externalMedia API now includes support for the
Upgrade Notes:
Developer Notes:
-
ARI: Add command to indicate progress to a channel
A new ARI endpoint is available at
/channels/{channelId}/progressto indicate progress to a channel. -
options: Change ast_options from ast_flags to ast_flags64.
The 32-bit ast_options has no room left to accomodate new
options and so has been converted to an ast_flags64 structure. All internal
references to ast_options have been updated to use the 64-bit flag
manipulation macros. External module references to the 32-bit ast_options
should continue to work on little-endian systems because the
least-significant bytes of a 64 bit integer will be in the same location as a
32-bit integer. Because that's not the case on big-endian systems, we've
swapped the bytes in the flags manupulation macros on big-endian systems
so external modules should still work however you are encouraged to test.
Commit Authors:
- Alexei Gradinari: (2)
- Alexey Khabulyak: (2)
- Allan Nathanson: (1)
- Artem Umerov: (1)
- Ben Ford: (1)
- George Joseph: (9)
- Igor Goncharovsky: (2)
- Jaco Kroon: (1)
- Joe Garlick: (1)
- Jose Lopes: (1)
- Kodokaii: (1)
- Martin Tomec: (1)
- Mike Bradeen: (1)
- Mkmer: (1)
- Naveen Albert: (15)
- Sean Bright: (2)
- Sperl Viktor: (2)
- Stanislav Abramenkov: (1)
- Stuart Henderson: (1)
- Sven Kube: (2)
- Tinet-Mucw: (2)
- Zhou_jiajian: (1)
Asterisk Release 22.5.2
The Asterisk Development Team would like to announce security release
Asterisk 22.5.2.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.5.2
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 22.5.2
Change Log for Release asterisk-22.5.2
Links:
Summary:
- Commits: 1
- Commit Authors: 1
- Issues Resolved: 0
- Security Advisories Resolved: 1
- GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
User Notes:
Upgrade Notes:
Developer Notes:
Commit Authors:
- George Joseph: (1)
Issue and Commit Detail:
Closed Issues:
- !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
Commits By Author:
-
George Joseph (1):
- res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Commit List:
- res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Commit Details:
res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Author: George Joseph
Date: 2025-08-28
In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV. We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.
Resolves: #GHSA-64qc-9x89-rx5j
Asterisk Release 21.10.2
The Asterisk Development Team would like to announce security release
Asterisk 21.10.2.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.10.2
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 21.10.2
Change Log for Release asterisk-21.10.2
Links:
Summary:
- Commits: 1
- Commit Authors: 1
- Issues Resolved: 0
- Security Advisories Resolved: 1
- GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
User Notes:
Upgrade Notes:
Developer Notes:
Commit Authors:
- George Joseph: (1)
Issue and Commit Detail:
Closed Issues:
- !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
Commits By Author:
-
George Joseph (1):
- res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Commit List:
- res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Commit Details:
res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Author: George Joseph
Date: 2025-08-28
In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV. We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.
Resolves: #GHSA-64qc-9x89-rx5j
Asterisk Release 20.15.2
The Asterisk Development Team would like to announce security release
Asterisk 20.15.2.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.15.2
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 20.15.2
Change Log for Release asterisk-20.15.2
Links:
Summary:
- Commits: 1
- Commit Authors: 1
- Issues Resolved: 0
- Security Advisories Resolved: 1
- GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
User Notes:
Upgrade Notes:
Developer Notes:
Commit Authors:
- George Joseph: (1)
Issue and Commit Detail:
Closed Issues:
- !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
Commits By Author:
-
George Joseph (1):
- res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Commit List:
- res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Commit Details:
res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
Author: George Joseph
Date: 2025-08-28
In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV. We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.
Resolves: #GHSA-64qc-9x89-rx5j
Asterisk Release 18.26.4
The Asterisk Development Team would like to announce security release
Asterisk 18.26.4.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.26.4
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 18.26.4
Change Log for Release asterisk-18.26.4
Links:
Summary:
- Commits: 1
- Commit Authors: 1
- Issues Resolved: 0
- Security Advisories Resolved: 1
- GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources
User Notes:
Upgrade Notes:
Developer Notes:
Commit Authors:
- George Joseph: (1)
Issue and Commit Detail:
Closed Issues:
- !GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources
Commits By Author:
-
George Joseph (1):
- pjproject: Update bundled to 2.15.1.
Commit List:
- pjproject: Update bundled to 2.15.1.
Commit Details:
pjproject: Update bundled to 2.15.1.
Author: George Joseph
Date: 2025-08-25
This resolves a security issue where RTP ports weren't being released
causing possible resource exhaustion issues.
Resolves: #GHSA-557q-795j-wfx2
Asterisk Release certified-18.9-cert17
The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert17.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert17
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk
Repository: https://github.com/asterisk/asterisk
Tag: certified-18.9-cert17
Change Log for Release asterisk-certified-18.9-cert17
Links:
Summary:
- Commits: 1
- Commit Authors: 1
- Issues Resolved: 0
- Security Advisories Resolved: 1
- GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources
User Notes:
Upgrade Notes:
Developer Notes:
Commit Authors:
- George Joseph: (1)
Issue and Commit Detail:
Closed Issues:
- !GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources
Commits By Author:
-
George Joseph (1):
- pjproject: Update bundled to 2.15.1.
Commit List:
- pjproject: Update bundled to 2.15.1.
Commit Details:
pjproject: Update bundled to 2.15.1.
Author: George Joseph
Date: 2025-08-25
This resolves a security issue where RTP ports weren't being released
causing possible resource exhaustion issues.
Resolves: #GHSA-557q-795j-wfx2
Asterisk Release 22.5.1
The Asterisk Development Team would like to announce security release
Asterisk 22.5.1.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.5.1
and
https://downloads.asterisk.org/pub/telephony/asterisk
Repository: https://github.com/asterisk/asterisk
Tag: 22.5.1
Change Log for Release asterisk-22.5.1
Links:
Summary:
- Commits: 2
- Commit Authors: 2
- Issues Resolved: 0
- Security Advisories Resolved: 2
- GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
- GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
User Notes:
Upgrade Notes:
-
safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.
Developer Notes:
Commit Authors:
- George Joseph: (1)
- ThatTotallyRealMyth: (1)
Issue and Commit Detail:
Closed Issues:
- !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
- !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
Commits By Author:
-
George Joseph (1):
- res_stir_shaken: Test for missing semicolon in Identity header.
-
ThatTotallyRealMyth (1):
- safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
Commit List:
- safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
- res_stir_shaken: Test for missing semicolon in Identity header.
Commit Details:
safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
Author: ThatTotallyRealMyth
Date: 2025-06-10
UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.
Resolves: #GHSA-v9q8-9j8m-5xwp
res_stir_shaken: Test for missing semicolon in Identity header.
Author: George Joseph
Date: 2025-07-31
ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
the Identity header to prevent a possible segfault.
Resolves: #GHSA-mrq5-74j5-f5cr