Howdy, Hope you are doing well Jonas and VoiP team!
ASTERISK included patches upstream for PJSIP 2.16 issues — as Rob mentioned — and it does not use the affected parts of PJSIP 2.17 as referenced by Moritz. Kind regards, Chris Maj ________________________________ From: Pkg-voip-maintainers on behalf of Jonas Smedegaard Sent: Monday, April 27, 2026 12:25 AM To: [email protected] Subject: Re: Bug#1134884: asterisk: CVE-2025-65102 CVE-2026-25994 CVE-2026-41415 CVE-2026-40614 CVE-2026-40892 CVE-2026-41416 CVE-2026-26203 CVE-2026-26967 CVE-2026-32942 CVE-2026-28799 CVE-2026-29068 CVE-2026-32945 CVE-2026-33069 CVE-2026-34235 Quoting Rob van der Putten via Pkg-voip-maintainers (2026-04-27 07:55:33) > On 26/04/2026 21:39, Jonas Smedegaard wrote: > > > Quoting Rob van der Putten via Pkg-voip-maintainers (2026-04-26 20:19:25) > >> On 25/04/2026 13:04, Moritz Mühlenhoff wrote: > >>> Multiple security issues were reported against pjsip and fixed > >>> in 2.17. Asterisk bundles 2.16 in unstable: > >> > >> Is it possible that these bugs don't effect Asterisk 22.9.0? > >> There are a bunch of patches in the Asterisk source pjproject > >> directory > > > > Someone needs to ensure that those patches get applied. > > > > Anyone volunteering for that task? > I know very little about the Debian package build process, but I would > expect the patches to be applied during the build of 22.9.0. > This of course, does not apply to Asterisk 16.28.0 in Debian 11 / Bullseye. Thanks for clarifying, Rob, and for your reflections. Anyone else? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
