asterisk - Debian Package Tracker

general

source: asterisk (main)
version: 1:22.9.0+dfsg+~cs6.16.60671434-1
maintainer: Debian VoIP Team (archive) (DMD)
uploaders: Jonas Smedegaard [DMD] – Tzafrir Cohen [DMD] – Mark Purcell [DMD] – Jeremy Lainé [DMD] – Chris Maj [DMD] – Benedikt Wildenhain [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:16.28.0~dfsg-0+deb11u4
o-o-sec: 1:16.28.0~dfsg-0+deb11u9
unstable: 1:22.9.0+dfsg+~cs6.16.60671434-1

versioned links

1:16.28.0~dfsg-0+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:16.28.0~dfsg-0+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:16.28.0~dfsg-0+deb11u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:22.9.0+dfsg+~cs6.16.60671434-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

asterisk (24 bugs: 0, 16, 8, 0)
asterisk-config (1 bugs: 0, 0, 1, 0)
asterisk-dahdi
asterisk-dev
asterisk-doc
asterisk-mobile
asterisk-modules
asterisk-mp3
asterisk-mysql
asterisk-ooh323
asterisk-tests

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:06:09
Last run: 2026-03-18T13:42:49.000Z
Previous status: unknown

testing: pass (log)
The tests ran in 0:03:19
Last run: 2023-03-16T12:22:33.000Z
Previous status: unknown

stable: fail (log)
The tests ran in 0:04:43
Last run: 2023-06-06T08:30:33.000Z
Previous status: unknown

Created: 2022-12-23 Last update: 2026-04-30 18:33

14 security issues in sid high

There are 14 open security issues in sid.

14 important issues:

CVE-2025-65102: PJSIP is a free and open source multimedia communication library. Prior to version 2.16, Opus PLC may zero-fill the input frame as long as the decoder ptime, while the input frame length, which is based on stream ptime, may be less than that. This issue affects PJSIP users who use the Opus audio codec in receiving direction. The vulnerability can lead to unexpected application termination due to a memory overwrite. This issue has been patched in version 2.16.
CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
CVE-2026-26203: PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.
CVE-2026-26967: PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491.
CVE-2026-28799: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.
CVE-2026-29068: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain more frames than the caller-provided frames can hold. This issue has been patched in version 2.17.
CVE-2026-32942: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.
CVE-2026-32945: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead.
CVE-2026-33069: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.
CVE-2026-34235: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
CVE-2026-40614: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
CVE-2026-40892: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length.
CVE-2026-41415: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerability is fixed in 2.17.
CVE-2026-41416: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.

Created: 2026-04-22 Last update: 2026-04-28 19:02

14 security issues in bullseye high

There are 14 open security issues in bullseye.

14 important issues:

CVE-2025-65102: PJSIP is a free and open source multimedia communication library. Prior to version 2.16, Opus PLC may zero-fill the input frame as long as the decoder ptime, while the input frame length, which is based on stream ptime, may be less than that. This issue affects PJSIP users who use the Opus audio codec in receiving direction. The vulnerability can lead to unexpected application termination due to a memory overwrite. This issue has been patched in version 2.16.
CVE-2026-25994: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
CVE-2026-26203: PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pointer arithmetic that can read from memory located before the allocated buffer. Version 2.17 contains a patch for the issue.
CVE-2026-26967: PJSIP is a free and open source multimedia communication library written in C. In versions 2.16 and below, there is a critical Heap-based Buffer Overflow vulnerability in PJSIP's H.264 unpacketizer. The bug occurs when processing malformed SRTP packets, where the unpacketizer reads a 2-byte NAL unit size field without validating that both bytes are within the payload buffer bounds. The vulnerability affects applications that receive video using H.264. A patch is available at https://github.com/pjsip/pjproject/commit/f821c214e52b11bae11e4cd3c7f0864538fb5491.
CVE-2026-28799: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap use-after-free vulnerability exists in PJSIP's event subscription framework (evsub.c) that is triggered during presence unsubscription (SUBSCRIBE with Expires=0). This issue has been patched in version 2.17.
CVE-2026-29068: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, there is a stack buffer overflow vulnerability when pjmedia-codec parses an RTP payload contain more frames than the caller-provided frames can hold. This issue has been patched in version 2.17.
CVE-2026-32942: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a heap use-after-free vulnerability in the ICE session that occurs when there are race conditions between session destruction and the callbacks. This issue has been fixed in version 2.17.
CVE-2026-32945: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a Heap-based Buffer Overflowvulnerability in the DNS parser's name length handler. Thisimpacts applications using PJSIP's built-in DNS resolver, such as those configured with pjsua_config.nameserver or UaConfig.nameserver in PJSUA/PJSUA2. It does not affect users who rely on the OS resolver (e.g., getaddrinfo()) by not configuring a nameserver, or those using an external resolver via pjsip_resolver_set_ext_resolver(). This issue is fixed in version 2.17. For users unable to upgrade, a workaround is to disable DNS resolution in the PJSIP config (by setting nameserver_count to zero) or to use an external resolver implementation instead.
CVE-2026-33069: PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below have a cascading out-of-bounds heap read in pjsip_multipart_parse(). After boundary string matching, curptr is advanced past the delimiter without verifying it has not reached the buffer end. This allows 1-2 bytes of adjacent heap memory to be read. All applications that process incoming SIP messages with multipart bodies or SDP content are potentially affected. This issue is resolved in version 2.17.
CVE-2026-34235: PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, a heap out-of-bounds read vulnerability exists in PJSIP's VP9 RTP unpacketizer that occurs when parsing crafted VP9 Scalability Structure (SS) data. Insufficient bounds checking on the payload descriptor length may cause reads beyond the allocated RTP payload buffer. This issue has been patched in version 2.17. A workaround for this issue involves disabling VP9 codec if not needed.
CVE-2026-40614: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.
CVE-2026-40892: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a stack buffer overflow exists in pjsip_auth_create_digest2() in PJSIP when using pre-computed digest credentials (PJSIP_CRED_DATA_DIGEST). The function copies credential data using cred_info->data.slen as the length without an upper-bound check, which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slen exceeds the expected digest string length.
CVE-2026-41415: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an out-of-bounds read when parsing a malformed Content-ID URI in SIP multipart message body. Insufficient length validation can cause reads beyond the intended buffer bounds. This vulnerability is fixed in 2.17.
CVE-2026-41416: PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is an integer overflow in media stream buffer size calculation when processing SDP with asymmetric ptime configuration. The overflow may result in an undersized buffer allocation, which can lead to unexpected application termination or memory corruption This vulnerability is fixed in 2.17.

Created: 2026-04-22 Last update: 2026-04-28 19:02

lintian reports 1 error and 20 warnings high

Lintian reports 1 error and 20 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-12-03 Last update: 2026-02-16 10:49

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2023-38703: PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.

Created: 2023-10-22 Last update: 2023-10-22 12:54

3 security issues in bookworm high

There are 3 open security issues in bookworm.

3 important issues:

CVE-2022-23537: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1).
CVE-2022-23547: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch.
CVE-2022-39269: PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.

Created: 2022-08-11 Last update: 2023-03-27 11:06

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-04-30 18:30

Depends on packages which need a new maintainer normal

The packages that asterisk depends on which need a new maintainer are:

speexdsp (#1093634)
- Depends: libspeexdsp1
- Build-Depends: libspeexdsp-dev

Created: 2025-08-07 Last update: 2026-04-30 16:50

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-04-16 Last update: 2026-04-30 16:02

debian/patches: 4 patches to forward upstream low

Among the 15 debian patches available in version 1:22.9.0+dfsg+~cs6.16.60671434-1 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-11 21:01

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2020-02-26 10:49

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migrates after: dahdi-linux, dahdi-tools, openr2
- Migration status for asterisk (- to 1:22.9.0+dfsg+~cs6.16.60671434-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating asterisk would introduce bugs in testing: #1031046, #1134884
- ∙ ∙ Build-Depends(-Arch): asterisk dahdi-linux (not considered)
- ∙ ∙ Build-Depends(-Arch): asterisk dahdi-tools
- ∙ ∙ Build-Depends(-Arch): asterisk openr2
- ∙ ∙ Depends: asterisk dahdi-tools
- ∙ ∙ Depends: asterisk openr2
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/a/asterisk.html
- ∙ ∙ Autopkgtest for asterisk/1:22.9.0+dfsg+~cs6.16.60671434-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered (failure will be ignored)
- ∙ ∙ New but not reproduced on amd64: asterisk
- ∙ ∙ New but not reproduced on arm64: asterisk
- ∙ ∙ New but not reproduced on armhf: asterisk
- ∙ ∙ New but not reproduced on i386: asterisk
- ∙ ∙ New but not reproduced on ppc64el: asterisk
- ∙ ∙ 19 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-04-11] Accepted asterisk 1:22.9.0+dfsg+~cs6.16.60671434-1 (source) into unstable (Jonas Smedegaard)
[2026-03-30] Accepted asterisk 1:16.28.0~dfsg-0+deb11u9 (source) into oldoldstable-security (Lukas Märdian)
[2026-02-08] Accepted asterisk 1:22.8.2+dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2026-02-01] Accepted asterisk 1:22.8.0+dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-12-02] Accepted asterisk 1:22.7.0~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-10-28] Accepted asterisk 1:22.6.0~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-10-10] Accepted asterisk 1:16.28.0~dfsg-0+deb11u8 (source) into oldoldstable-security (Markus Koschany)
[2025-08-29] Accepted asterisk 1:22.5.2~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-08-03] Accepted asterisk 1:22.5.1~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-06-04] Accepted asterisk 1:22.4.1~dfsg+~cs6.15.60671435-2 (source) into unstable (Jonas Smedegaard)
[2025-06-02] Accepted asterisk 1:16.28.0~dfsg-0+deb11u7 (source) into oldstable-security (Markus Koschany)
[2025-05-27] Accepted asterisk 1:22.4.1~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-03-28] Accepted asterisk 1:22.3.0~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-03-26] Accepted asterisk 1:22.3.0~~rc1~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-02-22] Accepted asterisk 1:22.2.0~dfsg+~cs6.15.60671435-2 (source) into unstable (Jonas Smedegaard)
[2025-02-11] Accepted asterisk 1:22.2.0~dfsg+~cs6.15.60671435-1 (source) into unstable (Jonas Smedegaard)
[2025-02-05] Accepted asterisk 1:16.28.0~dfsg-0+deb11u6 (source) into oldstable-security (Daniel Leidert)
[2025-01-12] Accepted asterisk 1:22.1.1~dfsg+~cs6.14.60671435-1 (source) into unstable (Jonas Smedegaard)
[2024-11-27] Accepted asterisk 1:22.1.0~dfsg+~cs6.14.60671435-1 (source) into unstable (Jonas Smedegaard)
[2024-10-23] Accepted asterisk 1:22.0.0~dfsg+~cs6.14.60671435-1 (source) into unstable (Jonas Smedegaard)
[2024-10-20] Accepted asterisk 1:16.28.0~dfsg-0+deb11u5 (source) into oldstable-security (Thorsten Alteholz)
[2024-10-05] Accepted asterisk 1:22.0.0~~rc2~dfsg+~cs6.14.60671435-1 (source) into experimental (Jonas Smedegaard)
[2024-09-07] Accepted asterisk 1:20.9.3~dfsg+~cs6.14.60671435-1 (source) into unstable (Jonas Smedegaard)
[2024-06-07] Accepted asterisk 1:20.8.1~dfsg+~cs6.14.40431414-1 (source) into unstable (Jonas Smedegaard)
[2024-02-11] Accepted asterisk 1:16.28.0~dfsg-0+deb11u4 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-01-30] Accepted asterisk 1:20.6.0~dfsg+~cs6.13.40431414-2 (source) into unstable (Jonas Smedegaard)
[2024-01-26] Accepted asterisk 1:20.6.0~dfsg+~cs6.13.40431414-1 (source) into unstable (Jonas Smedegaard)
[2024-01-04] Accepted asterisk 1:16.28.0~dfsg-0+deb11u4 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2023-12-28] Accepted asterisk 1:16.28.0~dfsg-0+deb10u4 (source) into oldoldstable (Markus Koschany)
[2023-12-22] Accepted asterisk 1:20.5.2~dfsg+~cs6.13.40431414-1 (source) into unstable (Jonas Smedegaard)

bugs [bug history graph]

all: 31
RC: 2
I&N: 19
M&W: 10
F&P: 0
patch: 1

links

homepage
lintian (1, 20)
buildd: logs, cross
popcon
browse source code
other distros
security tracker
screenshots
l10n (-, 98)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:22.5.2~dfsg+~cs6.15.60671435-1
17 bugs