Debian alert DLA-4515-1 (asterisk)
| From: | Lukas Märdian <slyon@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4515-1] asterisk security update | |
| Date: | Mon, 30 Mar 2026 13:17:58 +0200 | |
| Message-ID: | <rhzcbbxy26pcvctcyz3t3vbop6drs2aekymctx4ilj67x52uzf@if46nk5dxn7e> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4515-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Lukas Märdian March 29, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : asterisk Version : 1:16.28.0~dfsg-0+deb11u9 CVE ID : CVE-2026-23738 CVE-2026-23739 CVE-2026-23740 CVE-2026-23741 Debian Bug : 1127438 Multiple vulnerabilities were discovered in asterisk, an Open Source Private Branch Exchange (PBX) and telephony toolkit. CVE-2026-23738 XSS vulnerability in the /httpstatus page. Cookie names/values and GET parameter names/values are rendered without HTML-escaping, allowing reflected cross-site scripting attacks. The status page is now also disabled by default. CVE-2026-23739 XXE injection vulnerability in xml.c. The XML parsing functions allow external entity processing which can be exploited for XML External Entity injection attacks via network-based entity resolution. CVE-2026-23740 Privilege escalation via ast_coredumper gdbinit file permissions. The script creates temporary files with default umask permissions, potentially allowing local users to read or tamper with sensitive debugging data. CVE-2026-23741 Privilege escalation via ast_coredumper sourcing configuration files without ownership or permission checks. When running as root, a non-root user could place a malicious config file that gets sourced with root privileges. For Debian 11 bullseye, these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u9. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEco7DU8UfXhRO0oCBM4dveyhIiTsFAmnKW+EACgkQM4dveyhI iTtwARAAiP72HnP8EVSquz5PKP12WSzqBnle2VexMQgCceN8ztjc9OJ9ceUIBqMN XSk5engPYuze4IgwMg1Ij1k4mMFsx+ZwPlynQXXpaN5u0nOdgKcWcGW0r4l/X9Fd DVy+jamtuGOGfiL6DwefuMXu60IBVQ1sRLgziXyNAlU9fmNuu6wDbTF9Y06n6QLc eXY3Oi70XSGzCKcDdJLmaySdePd8wgXwSrJ/b/Ys2SIhNwYXtsYDw0U7eYZjgIkL 5AV/ULG7OIp7sN41LnfrnVvSsuf4WLdRtEcB5Ur101dJtfI1yXegBCGcqQehvFzb +/g7F5XcYTIxbkI48cZS3F79RjwowIPCGrmS06AK4ogztpSjme5cZAl0USkjlFeP cESL5iWqwYAz/w8tUmUhGNtOWi8svw0YN5mn2ggPGilonhcnu8KY30kLtd9Ia6w7 7e9MEk2LuaHkL6165SHKv4e+4ViQ2e5IpxK1EpvxOZ/YhU49Koccr7VWg/kYejqZ dWAHn7H9osTm7ZK3/cErXpsz6nBExhgLc+FhQik7Gy7fScRA2+HM3zmEAPDH3vXP /+/qvjFZiADNhbSCjgriW7QC0q5I91kZF0/pbRJuA47oBYzwneGGGr9nSYoNLUmg ORxVd4Vs/XusYVfmtRjWpnVulRwnysTkjez1lmjDeNnqO3++zdo= =hvU9 -----END PGP SIGNATURE-----