Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted asterisk 1:16.28.0~dfsg-0+deb11u7 (source) into oldstable-security
Date: Mon, 02 Jun 2025 13:40:21 +0000
Signed by: Markus Koschany <apo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon,  2 Jun 2025 15:22:25 CEST
Source: asterisk
Architecture: source
Version: 1:16.28.0~dfsg-0+deb11u7
Distribution: bullseye-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 2e12f436c9caf511ea863872d865cdb55b8ca51a 4359 asterisk_16.28.0~dfsg-0+deb11u7.dsc
 4de5ec1adb3e43c77bb048911b1476675367a43f 6875260 asterisk_16.28.0~dfsg-0+deb11u7.debian.tar.xz
 899ba2a751038459f1a04becb1376edaa316624f 29438 asterisk_16.28.0~dfsg-0+deb11u7_amd64.buildinfo
Checksums-Sha256:
 1c9cb334313b2806f108fcce8853f0ec165e95a5a2adff965c56d5bd76555892 4359 asterisk_16.28.0~dfsg-0+deb11u7.dsc
 0f036b7c931a12dc5dc01005af6f938f6eecc1099de3f407a9fbc6e167d05f00 6875260 asterisk_16.28.0~dfsg-0+deb11u7.debian.tar.xz
 fb897a4ebe95e14e767b17fe26df8455b200d500e763a5402d7c65c759917567 29438 asterisk_16.28.0~dfsg-0+deb11u7_amd64.buildinfo
Changes:
 asterisk (1:16.28.0~dfsg-0+deb11u7) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2025-47779:
     SIP requests of the type MESSAGE (RFC 3428) authentication do not get
     proper alignment. An authenticated attacker can spoof any user identity to
     send spam messages to the user with their authorization token. Abuse of
     this security issue allows authenticated attackers to send fake chat
     messages can be spoofed to appear to come from trusted entities.
   * Fix CVE-2025-47780:
     Trying to disallow shell commands to be run via the Asterisk CLI by
     configuring cli_permissions.conf (e.g. with the config line deny=!*) does
     not work which could lead to a security risk.
     A new asterisk.conf option 'disable_remote_console_shell' has been added
     that, when set, will prevent remote consoles from executing shell commands
     using the '!' prefix.
Files:
 527028a8f05c0ef66075a9bb5547072b 4359 comm optional asterisk_16.28.0~dfsg-0+deb11u7.dsc
 75c8b6f9492a03ac09a18775add46a23 6875260 comm optional asterisk_16.28.0~dfsg-0+deb11u7.debian.tar.xz
 3396dc0b755853791363e01c84a26419 29438 comm optional asterisk_16.28.0~dfsg-0+deb11u7_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmg9pd5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HksOkP/2SLOBOaOU8IxbUYJ8Bt7TPZGdmOqc4RPB2S
Dej/+SdtlfnlQLe/40DfjZ3DCZo33KGaIv73ti8r//rfuRbgPltnCfeVHZSBpDcA
ANOCqYnVyZz6IOpIGpLuG0Z4qbmiJqhdNxzoQb72i/BHX5mtGPoO9bDg5M7tkaBo
ro93bL9ELAvJhPkGcP+cuwXwMGdhwI7//Z4aYWba12+lar7RDAaw3ReplN/3sUP6
K7irSPIQE77gf9fx6NJft84O7CS6mIEUsGgbFdBQasSS4slG00nCTmnNDZ6vdvYl
fd2nt6D4ER7c00JE6NtP8k6+1GPSf08WYYsShzUStk8ab0YvkomJ9XKE6cjSTKOe
tMKQpYPfkMuU+LweUyTVEfL5tyaUqb08aDDk3m0vi6puu5331URRXtv8Z1El6ZHL
XLWnyZpg4hzwx9o8Qjj5oKV5acgTnF75R8N3nZUfPCwk74NpqX1JJqViSzj7lBk1
ITNiabKcSU80ffIIcZ6nMlivC84ilaKbUfBOyZ9IXmo+Zuu1saX9g6SblSweCsmz
6afq//KB00FTJROH22LovXBFF0cW5XWGWnPrrsXeSoVHXhCX2ctkwDHpz+VlQAv+
L0FEyfoBvmm66yGFsKCa2aq+UepJIQsIYiBKXoGkILXXaXLwXXTwf4bA6kdFGKmx
jhWSoutm
=OOWb
-----END PGP SIGNATURE-----

News for package asterisk