Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted asterisk 1:16.28.0~dfsg-0+deb11u9 (source) into oldoldstable-security
Date: Mon, 30 Mar 2026 10:30:16 +0000
Signed by: Lukas Märdian <slyon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 29 Mar 2026 15:00:53 +0200
Source: asterisk
Built-For-Profiles: noudeb
Architecture: source
Version: 1:16.28.0~dfsg-0+deb11u9
Distribution: bullseye-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Lukas Märdian <slyon@debian.org>
Changes:
 asterisk (1:16.28.0~dfsg-0+deb11u9) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2026-23738:
     XSS vulnerability in the /httpstatus page. Cookie names/values and GET
     parameter names/values are rendered without HTML-escaping, allowing
     reflected cross-site scripting attacks. The status page is now also
     disabled by default.
   * Fix CVE-2026-23739:
     XXE injection vulnerability in xml.c. The XML parsing functions allow
     external entity processing which can be exploited for XML External Entity
     injection attacks via network-based entity resolution.
   * Fix CVE-2026-23740:
     Privilege escalation via ast_coredumper gdbinit file permissions. The
     script creates temporary files with default umask permissions, potentially
     allowing local users to read or tamper with sensitive debugging data.
   * Fix CVE-2026-23741:
     Privilege escalation via ast_coredumper sourcing configuration files
     without ownership or permission checks. When running as root, a non-root
     user could place a malicious config file that gets sourced with root
     privileges.
Checksums-Sha1:
 7decfae9201ebc1796ccb48cb4fb789bec430941 4208 asterisk_16.28.0~dfsg-0+deb11u9.dsc
 dac917eb5c7a9793498542683e479610d5c46b10 7253400 asterisk_16.28.0~dfsg.orig.tar.xz
 45e54adfabd88415161915f3f69db9c91d7905dd 6883312 asterisk_16.28.0~dfsg-0+deb11u9.debian.tar.xz
 c9b8e20eb0483a0ea227159ccbe4483ee202cd14 9916 asterisk_16.28.0~dfsg-0+deb11u9_source.buildinfo
Checksums-Sha256:
 37e121050fe6bc3f67a77391583092bee0b150f72a32e5aa0ccb8cbdfe576ce7 4208 asterisk_16.28.0~dfsg-0+deb11u9.dsc
 eacda3502664072c4e44283f090326c23e9e8298ec7eac91e22b7ab2968fa782 7253400 asterisk_16.28.0~dfsg.orig.tar.xz
 4cf18c36ec4731484821f571bbce53a6d881c40020a3d790ee7d18db4b894bf5 6883312 asterisk_16.28.0~dfsg-0+deb11u9.debian.tar.xz
 a9c23fdbd532c594e8865f36fab138176e67e398f52b53acab97e88e83e959a3 9916 asterisk_16.28.0~dfsg-0+deb11u9_source.buildinfo
Files:
 c61e3f5e9b76acbba6564dbcfbc83119 4208 comm optional asterisk_16.28.0~dfsg-0+deb11u9.dsc
 9815629148c12dcf764853a15c507525 7253400 comm optional asterisk_16.28.0~dfsg.orig.tar.xz
 6937be0f8fdc5173b11703eda358ad3a 6883312 comm optional asterisk_16.28.0~dfsg-0+deb11u9.debian.tar.xz
 2cc80d1fa41db1b969c218f433d72444 9916 comm optional asterisk_16.28.0~dfsg-0+deb11u9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEco7DU8UfXhRO0oCBM4dveyhIiTsFAmnKS/oACgkQM4dveyhI
iTsMpw/9EfpQH12F6CqvuTELc4dJrgGZcrDTEfJAgmVkJpjzVGuOdtrupR/BF/OM
6cBKYYGtV6biCkU0bsSY7pZLcmSGV7jPiRXrw6tMOG8xkSbevD6VzlJ2UvnzBIRB
sDtz+m99N/jkblXUU9kWZMhq8uALxIx8S/qoTMOJHSO1VTFkkwjYmzu6opHy44fA
zcZsQLS3iNtqSRWzrUrF+X/B76kh+CxWlqv0wa1TjcDIrxfWPpk7DeS8/31lV1MI
LAoRrZSHRZRZ5fpAa5/2u4JnXqD4MlcUw4VUpvxvrNpU10CUBxK4gw3nx2l/qumo
P/EHMv2ewGzGmMWbTV0CPL74+U7+8/ncS3VJEp5AOWlb6I7V9oec2/ST/S5QY+yp
6hcM95fyvAHXQ7S569zfJeaJ0bu+TTNKvsuEmcpfYcbyx1SAp5io4cI7pDUSz7iU
4qBUJd5GvjqQYCqdGNjIEi4Fj4iN96B5gYDX+M5vHJBn7uScD0+QsnnFUnXrpFtt
Ce/ZXLfdB2Orx6g+35wkP9VT+DQkQxBkvCp1kzWBaUbfOfTDm/fy+O4SYnKfd31E
7krR6dr5zejh7ShkYcvJ6sKFKki7N5oJT927rSLAhsPK6BPWMQtoVI0OrCz/qvwh
M+JfPC5nDLEUyMwlifPYuxmlDeh8FJLrJq/I9LMU/m0bfavPETM=
=KM+L
-----END PGP SIGNATURE-----
News for package asterisk
