Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted asterisk 1:16.28.0~dfsg-0+deb11u10 (source) into oldoldstable-security
Date: Tue, 16 Jun 2026 16:00:16 +0000
Signed by: Thorsten Alteholz <alteholz@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Jun 2026 10:03:02 +0200
Source: asterisk
Architecture: source
Version: 1:16.28.0~dfsg-0+deb11u10
Distribution: bullseye-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Changes:
 asterisk (1:16.28.0~dfsg-0+deb11u10) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * all CVEs are related to the embedded pjproject.
     Thus a patch (CVE-batch-1.patch) is created, that adds more
     patches into third-party/pjproject/patches/.
     During build those patches are applied to the embedded pjproject.
   * CVE-2025-65102
     fix unexpected application termination due to memory overwrite
   * CVE-2026-25994
     fix buffer overflow when processing credentials with long usernames
   * CVE-2026-26203
     fix heap buffer underflow in H.264 packetizer
   * CVE-2026-26967
     fix heap base buffer overflow in H.264 unpacketizer
   * CVE-2026-28799
     fix heap use-after-free in the event subscription framework
   * CVE-2026-29068
     fix stack buffer overflow when parsing crafted RTP payload
   * CVE-2026-32942
     fix heap use-after-free vulnerability in the ICE session
   * CVE-2026-32945
     fix heap-based buffer overflow in the DNS parser's name length handler
   * CVE-2026-33069
     fox out-of-bounds heap read
   * CVE-2026-34235
     fix heap out-of-bounds read when parsing crafted VP9 SS data
   * CVE-2026-40614
     fix buffer overflow when decoding crafted Opus audio frames
   * CVE-2026-41415
     fix out-of-bounds read when parsing a crafted Content-ID URI
   * CVE-2026-42225
     no longer accept invalid or untrusted certificates
Checksums-Sha1:
 d19b42348a7eaf2019d10310976bc78c53bc409b 4371 asterisk_16.28.0~dfsg-0+deb11u10.dsc
 ca8b76896db066bd8f1d5c67600de7e768f85367 6892664 asterisk_16.28.0~dfsg-0+deb11u10.debian.tar.xz
 e4093d1940c911361687ab41ccca4c5f1fbcd407 7420 asterisk_16.28.0~dfsg-0+deb11u10_source.buildinfo
Checksums-Sha256:
 d67161cfcc660393f7014d8b0dd55e3224893a2c2c039a71324efbd1cc8579f2 4371 asterisk_16.28.0~dfsg-0+deb11u10.dsc
 3beb1833b354a2ef816a4e58a364ab1620c42e766c8220cc653ed08e9b28ea8e 6892664 asterisk_16.28.0~dfsg-0+deb11u10.debian.tar.xz
 802f4d79824391f718eb6d0eeb159e2fb0a476e979d97613829b839e53d2b51d 7420 asterisk_16.28.0~dfsg-0+deb11u10_source.buildinfo
Files:
 778859c6f0c654a623a596d37d0d4c4d 4371 comm optional asterisk_16.28.0~dfsg-0+deb11u10.dsc
 aef714b7ed04d8896b4ea1f7407078f1 6892664 comm optional asterisk_16.28.0~dfsg-0+deb11u10.debian.tar.xz
 09d66f16473b26f8d01c8da54374d8db 7420 comm optional asterisk_16.28.0~dfsg-0+deb11u10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmoxb51fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR8TDD/wNGp8DznIFTQlzKfwHcCyDJOBKcVKr
sFT8rSwQAd+4VqzODMnkwewWdyHjM28yDgKT+RSi2FyABCMhvAVXBNFipa5dM1qC
r8lUjhBtex9Xh6IZCzHsuMioRf+6KFtsj3vjsb6dI/A18Zf2lHxXTJ+RzhDzwbd2
qyDyjo36vZBJ+FS2BH+4iCXI+1WnjtyNCRdT1mgAk8cMaViVAznXJJ3WwDlYeIOt
PI/DpVaO7wXqe30kKVL0icb4PBzSJjLXVNaU3d0Eb9NP5TVYXxGWzttZSMNbnT8G
mviV5Vssgnc5xiA9la27lbhO5ebWAKfPnX1iKCjeYYiL+AW72LQ9FpZJBlJcDnxT
P+5Bx1e9c7jvehHud7X3wrL1BpQJKA02ebYQpP5TH2h67I5F3akXGaqvUWTdPzMw
Mu2l0eF38JYL1+/JTsi0DdFZaQJRmvYY9G1KmFWQOOMPara00RovjHoAx8PcTw4Y
QYgJyL+O2axq/xvnSNICdFIKQ7RrOzL+Zxe/ZY2CKkF2ijJb2Zxie07NmDGevDud
ZipBOsU28SHfoXpV90nvcKI18yVzJzgSBTLpzhMWmlG1FR9PA5uFT6ZV2e+/lmdR
5hF/Oq1GVNwKjT4xS63eZ7poBUkm7/PPCAROdXlSjYGQa334GFQX23OaHrWEJX2c
xZNR54gsM+TL1g==
=9O/4
-----END PGP SIGNATURE-----
News for package asterisk
