Your message dated Sun, 08 Feb 2026 20:41:57 +0000
with message-id <[email protected]>
and subject line Bug#1127438: fixed in asterisk 1:22.8.2+dfsg+~cs6.15.60671435-1
has caused the Debian Bug report #1127438,
regarding asterisk: CVE-2026-23738 CVE-2026-23739 CVE-2026-23740 CVE-2026-23741
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127438: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127438
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: asterisk
Version: 1:22.8.0+dfsg+~cs6.15.60671435-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for asterisk.
CVE-2026-23738[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, user supplied/control values for Cookies and any GET
| variable query Parameter are directly interpolated into the HTML of
| the page using ast_str_append. The endpoint at GET /httpstatus is
| the potential vulnerable endpoint relating to asterisk/main /http.c.
| This issue has been patched in versions 20.7-cert9, 20.18.2,
| 21.12.1, 22.8.2, and 23.2.2.
CVE-2026-23739[1]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, the ast_xml_open() function in xml.c parses XML documents
| using libxml with unsafe parsing options that enable entity
| expansion and XInclude processing. Specifically, it invokes
| xmlReadFile() with the XML_PARSE_NOENT flag and later processes
| XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied
| XML file is passed to this function, it can allow an attacker to
| trigger XML External Entity (XXE) or XInclude-based local file
| disclosure, potentially exposing sensitive files from the host
| system. This can also be triggered in other cases in which the user
| is able to supply input in xml format that triggers the asterisk
| process to parse it. This issue has been patched in versions
| 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
CVE-2026-23740[2]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, when ast_coredumper writes its gdb init and output files to
| a directory that is world-writable (for example /tmp), an attacker
| with write permission(which is all users on a linux system) to that
| directory can cause root to execute arbitrary commands or overwrite
| arbitrary files by controlling the gdb init file and output paths.
| This issue has been patched in versions 20.7-cert9, 20.18.2,
| 21.12.1, 22.8.2, and 23.2.2.
CVE-2026-23741[3]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and
| 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as
| noted by the NOTES tag on line 689 of the ast_coredumper file. The
| script will source the contents of
| /etc/asterisk/ast_debug_tools.conf, which resides in a folder that
| is writeable by the asterisk user:group. Due to the
| /etc/asterisk/ast_debug_tools.conf file following bash semantics and
| it being loaded; an attacker with write permissions may add or
| modify the file such that when the root ast_coredumper is run; it
| would source and thereby execute arbitrary bash code found in the
| /etc/asterisk/ast_debug_tools.conf. This issue has been patched in
| versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-23738
https://www.cve.org/CVERecord?id=CVE-2026-23738
[1] https://security-tracker.debian.org/tracker/CVE-2026-23739
https://www.cve.org/CVERecord?id=CVE-2026-23739
[2] https://security-tracker.debian.org/tracker/CVE-2026-23740
https://www.cve.org/CVERecord?id=CVE-2026-23740
[3] https://security-tracker.debian.org/tracker/CVE-2026-23741
https://www.cve.org/CVERecord?id=CVE-2026-23741
FWIW, yes CVE-2026-23739 would not warrant even an important severity
bug, as asterisk does not allow untrusted or user-supplied XML to be
used, but I'm just filling here one bug for all four new CVEs.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:22.8.2+dfsg+~cs6.15.60671435-1
Done: Jonas Smedegaard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[email protected]> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Feb 2026 21:02:53 +0100
Source: asterisk
Architecture: source
Version: 1:22.8.2+dfsg+~cs6.15.60671435-1
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Jonas Smedegaard <[email protected]>
Closes: 1127438
Changes:
asterisk (1:22.8.2+dfsg+~cs6.15.60671435-1) unstable; urgency=high
.
[ upstream ]
* new release;
CVE-2026-23738 CVE-2026-23739 CVE-2026-23740 CVE-2026-23741;
closes: bug#1127438, thanks to Salvatore Bonaccorso
.
[ Jonas Smedegaard ]
* update copyright info:
+ license patches same as main upstream license
* set urgency=high due to security-related bugfixes
Checksums-Sha1:
59eceea11ec435cadea8b3e524b3b698dbbb1066 5370
asterisk_22.8.2+dfsg+~cs6.15.60671435-1.dsc
fab723ada342f11d062f1d17e0cbbe05ce67b3b8 11276
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
3d0a0b6cd89a39935fd096e2ef6e79ba8302c8eb 22024
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
793b7a53dfb62a56e0ac144016830a9b52e9fe75 22556
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
b65919c33b672366dcd727963121518ec445f609 6394332
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
698372c1412d0e35cf9710da1068cdb52b88b624 6127252
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig.tar.xz
03a8e5c27341a07079547e52e71280ef35611e04 123344
asterisk_22.8.2+dfsg+~cs6.15.60671435-1.debian.tar.xz
4463a81992265f437a1c7f16be16a89dbed8dab7 25260
asterisk_22.8.2+dfsg+~cs6.15.60671435-1_amd64.buildinfo
Checksums-Sha256:
8e2d260a7b232eeafa598987ca2d88775ec38d5ee4d973791f3ef5dd82c55426 5370
asterisk_22.8.2+dfsg+~cs6.15.60671435-1.dsc
33cdfabac457e18580c63bb4707e16a991ea3d772229d0dd37e134f494d8d70f 11276
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
a5316a4cf442be734e050d6fcd28ee23d7057d0cc546413aa75872b84e979f21 22024
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
6bc226a2fd01f10fb6155e23be637ed212fea11be0bab2b6c16f8e47dcbc3e9b 22556
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
5e0c5e6602c87ec0830cca7744d0c1dd342c7fce10a61812a34117f83be70f4c 6394332
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
a074ae630f0d6eb0b7506ecbc075635f86198e578ac835c988467a760ab0b1a2 6127252
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig.tar.xz
dd7e26843626e8badf9e5f43dffa8fa7daf6eb77a945ccd8abc9ba44d1f7f802 123344
asterisk_22.8.2+dfsg+~cs6.15.60671435-1.debian.tar.xz
f21ff497e23519db06c93dedac61cac1eae7b69b098a4c5f9b709ce35113c987 25260
asterisk_22.8.2+dfsg+~cs6.15.60671435-1_amd64.buildinfo
Files:
be2d8375c2001c8addb9e67c25c0a8df 5370 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435-1.dsc
fdccb2ab4cc1291b171ab4bff308252b 11276 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
5bdeadbbd8e5b6cc2f65a846e6859b7e 22024 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
9d9968f788e7837d3f4a23f4a3ceb830 22556 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
096acf79b41830527a69cf9d1a55f364 6394332 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
2b1291d61dd548f2efc443a6e4a1db2b 6127252 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435.orig.tar.xz
d366aa71fc17ffd7e94ce365581510e5 123344 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435-1.debian.tar.xz
56e68c6ab537bb8fd6ff6a34aa1dd8ac 25260 comm optional
asterisk_22.8.2+dfsg+~cs6.15.60671435-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJABAEBCgAqFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmmI7mkMHGRyQGpvbmVz
LmRrAAoJECx8MUbBoAEhkWsP/i4ujHDuUwssup/ILTqys774HVmfbkqZwmxcPzJE
0LURCet2icsFz7qJftGIBNyVIPmP41nt6iA9dCj9Vl3E5jYip7nQiwRETej6hFm7
GRNGrcsc4oZO0HNTQQ1SunAl5h8IYpn9iDrjmQq8jm133DHRRwmm0ecRB5bEUYGy
mu8cGI+w1Y30KX3KUbugN24A7/rkuPg1wCisT3nwox0papHQYybvTbCjtB67VW0k
ZjRn7/4fxvnpp2hEqhIAhQTAUa+er3Eu/0y4KBEZPjcdbKii3q5gm/2z2oaPjvV9
VhgWTXSTWIrj/l0guAf3gdbS29rPItFmPXjoUJZ4kwve5xshxfAIdBNV2TT7ADMj
VNDl3MISDJO+ieHNVMqG8PElHJKekxZheJRd14kxu5C8Lpjokw1vpwX/fxI5FIc8
Viv24YFFyP4umwPpsNcVzkcrf939aCuChpv3UfRdxGHXndQ2y1XT49BQVk02xeEI
sbRcCfCjQQY/ZDVlKt7IJ5sozJf0Ahs23f6UOdJiueWdCcwvfGucDtmCJ7vKLl4l
sWUQWQlzS3xITORa5xBCNyoi5Jy2u30eaX6xeF8463H7MXuH9o1diVHZJU+7PiU4
7zxdSVCeLJTgsOWqyyTQPv0l9gzcprTQsSi/NMyxHuhbSQrA3s6zoZwwh5n0erXl
DSfV
=iZGL
-----END PGP SIGNATURE-----
pgpICwLykukWO.pgp
Description: PGP signature
--- End Message ---
