-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Oct 2025 15:05:43 CEST Source: asterisk Architecture: source Version: 1:16.28.0~dfsg-0+deb11u8 Distribution: bullseye-security Urgency: high Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: c105ce9a65e03f91c2ae2a2c30234dca14faaf50 4359 asterisk_16.28.0~dfsg-0+deb11u8.dsc dac917eb5c7a9793498542683e479610d5c46b10 7253400 asterisk_16.28.0~dfsg.orig.tar.xz 0ef4d1483c8593b153588efde9246806c4d51445 6878424 asterisk_16.28.0~dfsg-0+deb11u8.debian.tar.xz 1513ed28216f94cd743c00f87428bfe7954e49d1 29486 asterisk_16.28.0~dfsg-0+deb11u8_amd64.buildinfo Checksums-Sha256: a8d5edf8a091f36f009c473b2e13d6daba8e4030581a43c6054f2e6194247b9d 4359 asterisk_16.28.0~dfsg-0+deb11u8.dsc eacda3502664072c4e44283f090326c23e9e8298ec7eac91e22b7ab2968fa782 7253400 asterisk_16.28.0~dfsg.orig.tar.xz 14ad087ddf227b4f50042b1210272439d9568d5ce158c19022f3fc35ed960bb6 6878424 asterisk_16.28.0~dfsg-0+deb11u8.debian.tar.xz 137aa92083b51bf9b3f96dd6ae86749e91efe960069a7093ea9030d0f45e0b91 29486 asterisk_16.28.0~dfsg-0+deb11u8_amd64.buildinfo Changes: asterisk (1:16.28.0~dfsg-0+deb11u8) bullseye-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2025-1131: A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script, it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart. * Fix CVE-2025-54995: Asterisk is an open source private branch exchange and telephony toolkit. Prior to this version, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. Files: 979a8856e7f34e275892edfa39d60913 4359 comm optional asterisk_16.28.0~dfsg-0+deb11u8.dsc 9815629148c12dcf764853a15c507525 7253400 comm optional asterisk_16.28.0~dfsg.orig.tar.xz e1ee91081d4657d4f985c3fae7a7a53e 6878424 comm optional asterisk_16.28.0~dfsg-0+deb11u8.debian.tar.xz f44db881aa7807c866ba9e778c220f20 29486 comm optional asterisk_16.28.0~dfsg-0+deb11u8_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmjpBNBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk2O4P/3e3Q8eA7txknY1z3nn4d5DvQhbe3YOUDfwH oa8ACUlBEaXT21M47vCALREC3Ck19JTIuLA42GI9chkCR6hqGopIVKDDw+WPst/6 V6v51Xqiwk6djYHymhKD3CmfGPZdSF1rEf+zM7pA6p5X+EiEmQcOah1lZC4u9dRD A4Eq9z5SyZA9j9bf5pJNGSm8nnZ2anLG+w6QS+QD8+EKlYxkqfpkBx4XR/odKUNY ZNBzKhysoE8rfrCmO0LpVQmk8E9mhTwA1OTCGVxSXgXvEZ/UsIyDYvLWCAg3Gl+e 00AACfA7UG1N/nlhQgdFBcCt8C9SdtN8OamG+OLaq+ojJz6Y6UqVhyBfbJRdTc96 QjP0VowfPStmMuZdHRqp2llChHhgSjHIWDNkWqHWVtccpFyxmhWaAaYCR/KJkfkN SSRa7C+pmGtqqLZgx6T7dpvQEs6SvtVwqnsKHxxi1Csg6/1M9GIkHz3ExsLCAmC+ 4KBCaAYCSME+Lg0zqnjOXuFNtcyhYZHwMd+uQy4Tc+b8YKgByV82rzKIUtafEUs7 1nlwe4re7SjLwEfzA3vmIJxHVS3ixvWYLXWbm6NOdDlOyYO7o+tlWV1g6UofB0iB 2Yjdw8Y828bsappQyR8HFL4jDLaO+sYRxua0npiFzRqEgEqYj76VGLSXwt5AR9Mq Fiv1xL/K =x/ZC -----END PGP SIGNATURE-----
