惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
O
OpenAI News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
Webroot Blog
Webroot Blog
GbyAI
GbyAI
S
SegmentFault 最新的问题
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
J
Java Code Geeks
Google DeepMind News
Google DeepMind News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园 - 【当耐特】
S
Secure Thoughts
酷 壳 – CoolShell
酷 壳 – CoolShell
AWS News Blog
AWS News Blog
Engineering at Meta
Engineering at Meta
S
Security Affairs
H
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
D
DataBreaches.Net
云风的 BLOG
云风的 BLOG
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
Spread Privacy
Spread Privacy
T
Threatpost
Forbes - Security
Forbes - Security
C
Cisco Blogs
Scott Helme
Scott Helme
Attack and Defense Labs
Attack and Defense Labs
Simon Willison's Weblog
Simon Willison's Weblog
腾讯CDC
The Last Watchdog
The Last Watchdog
Cloudbric
Cloudbric
Last Week in AI
Last Week in AI
Recorded Future
Recorded Future
小众软件
小众软件
V
Vulnerabilities – Threatpost
美团技术团队
人人都是产品经理
人人都是产品经理
有赞技术团队
有赞技术团队
Apple Machine Learning Research
Apple Machine Learning Research
Hacker News - Newest:
Hacker News - Newest: "LLM"
I
Intezer
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 司徒正美
C
Cybersecurity and Infrastructure Security Agency CISA
Martin Fowler
Martin Fowler
博客园 - 聂微东

Full Disclosure

[NotCVE-2026-0001] Cloudflare Universal SSL CAA augmentation weakens RFC 8657 account binding — CVE-2026-14440 assigned 163 days after public no-CVE disclosure Full Disclosure: Subject: Advisory Submission: EZ Game Booster Full Disclosure: CVE-2026-56877 - Skillable SCORM userId authorisation bypass Full Disclosure: [REVIVE-SA-2026-003] Revive Adserver Vulnerabilities Full Disclosure: OPNsense XPATH Injection (CVE-2026-53582) Authentication Bypass for SafeLine SL6 and SL6+ confidentiality and anonymity leakage to third parties Full Disclosure: OpenBlow Multiple Deanonymization Vulnerabilities Site-access password exposed in web server access logs via GET query string Full Disclosure: APPLE-SA-06-29-2026-3 Safari 26.5.2 Full Disclosure: APPLE-SA-06-29-2026-2 macOS Tahoe 26.5.2 APPLE-SA-06-29-2026-1 iOS 26.5.2 and iPadOS 26.5.2 symlink following and TOCTOU in privileged upload handler allow arbitrary file write as root [KIS-2026-12] Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability Full Disclosure: [fulldis] CVE-2026-58451 - Horde Groupware IMP path traversal vuln Full Disclosure: Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended) Full Disclosure: Asterisk Security Release 23.4.1 Full Disclosure: Asterisk Security Release 22.10.1 Full Disclosure: Asterisk Security Release 21.12.3 Full Disclosure: Asterisk Security Release 20.20.1 Certified Asterisk Security Release certified-22.8-cert3 Zig std.http chunked reader integer overflow -> unauthenticated remote DoS Remote Kernel Stack Disclosure via MPLS Label Stack Over-read Full Disclosure: OpenBSD sppp_pap_input: PAP authentication bypass Full Disclosure: SEC Consult SA-20260618-0 :: Hardcoded Root Cloud Credentials in Application Binaries in Silver Leaf Technologies Full Disclosure: SEC Consult SA-20260617-1 :: Multiple Vulnerabilities in Quanos Content Solutions Multiple Critical Vulnerabilities in Sprecher Automation SPRECON-E-C/-E-P/-E-T3 Full Disclosure: SEC Consult SA-20260616-0 :: Broken Access Control in syracom AG Secure Login (2FA) for Atlassian Jira / Confluence APPLE-SA-06-16-2026-1 Beats Firmware Update 1B211 PHP 8.5.7 `levenshtein()` signed-integer overflow Full Disclosure: PHP 8.5.7 `dom_xml_serialization_algorithm()` stack-overflow PHP 8.5.7 `mb_substr()` 'SJIS-mac' size_t underflow PHP 8.5.7 `FILTER_SANITIZE_ENCODED` uninitialized read Cross-Tenant Authentication Bypass by Spoofing in N-able Mail Assure Multiple Vulnerabilities in Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller) Multiple Critical Vulnerabilities in Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) Local Privilege Escalation in Slate Digital Connect (macOS) Full Disclosure: SEC Consult SA-20260609-0 :: Multiple Local Privilege Escalation Vulnerabilities in Waves Audio [KIS-2026-11] Discuz! <= X5.0 (enable_disable.php) Local File Inclusion Vulnerability [KIS-2026-10] Discuz! <= X5.0 OCR-based CAPTCHA Bypass Vulnerability [KIS-2026-09] Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability Privilege Escalation via Binary Planting in Genetec-provided RabbitMQ in multiple Genetec products [SYSS-2026-004] SAP NetWeaver SAML XML Signature Wrapping Full Disclosure: [REVIVE-SA-2026-002] Revive Adserver Vulnerabilities Full Disclosure: CyberDanube Security Research 20260528-0 four vulnerabilities — two unfixed, GHSA without a CVE Full Disclosure: Re: Dovecot Security Advisory OXDC-2026-0002 SSRF in Anthropic mcp-server-fetch and Microsoft playwright-mcp — publicly disclosed via GitHub issues Full Disclosure: [SECURITY ADVISORY] CVE-2021-21735 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34474 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34472 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34473 Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect Full Disclosure: APPLE-SA-05-13-2026-1 Safari 26.5 Full Disclosure: APPLE-SA-05-11-2026-11 visionOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-10 watchOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-9 tvOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-8 macOS Sonoma 14.8.7 Full Disclosure: APPLE-SA-05-11-2026-7 macOS Sequoia 15.7.7 APPLE-SA-05-11-2026-5 iOS 15.8.8 and iPadOS 15.8.8 APPLE-SA-05-11-2026-4 iOS 16.7.16 and iPadOS 16.7.16 Full Disclosure: APPLE-SA-05-11-2026-3 iPadOS 17.7.11 APPLE-SA-05-11-2026-2 iOS 18.7.9 and iPadOS 18.7.9 APPLE-SA-05-11-2026-1 iOS 26.5 and iPadOS 26.5 Impersonation attacks on Edupage portal Edupage web and mobile application authorization bypass leaks PII and IBAN codes Full Disclosure: Dovecot Security Advisory OXDC-2026-0002 Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro (CVE-2024-13971) Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP (CVE-2024-39847) ESP-RFID-Tool v2 PRO — Full Public Disclosure DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service) Broken Access Control in Config Endpoint in LiteLLM Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8 APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2 When Trusted Tools Become Attack Primitives [KIS-2026-08] SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability [KIS-2026-07] SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability Full Disclosure: Trojan-Spy.Win32.Small / Remote Command Execution Full Disclosure: [IWCC 2026] CfP: 15th International Workshop on Cyber Crime GoAnywhere MFT Email HTML Injection Full Disclosure: CyberDanube Security Research 20260408-1 Full Disclosure: CyberDanube Security Research 20260408-0 Improper Enforcement of Locked Accounts in WebUI (SSO) in Kiuwan SAST on-premise (KOP) & cloud/SaaS Broken Access Control in Open WebUI Full Disclosure: SEC Consult SA-20260326-0 :: Local Privilege Escalation in Vienna Assistant (MacOS) 14 Third-Party Endpoints, 6 Countries, Zero User Visibility [KIS-2026-06] MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability Full Disclosure: APPLE-SA-03-24-2026-10 Xcode 26.4 Full Disclosure: APPLE-SA-03-24-2026-9 Safari 26.4 Full Disclosure: APPLE-SA-03-24-2026-8 visionOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-7 watchOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-6 tvOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-5 macOS Sonoma 14.8.5 Full Disclosure: APPLE-SA-03-24-2026-4 macOS Sequoia 15.7.5 Full Disclosure: APPLE-SA-03-24-2026-3 macOS Tahoe 26.4 APPLE-SA-03-24-2026-2 iOS 18.7.7 and iPadOS 18.7.7 APPLE-SA-03-24-2026-1 iOS 26.4 and iPadOS 26.4
Certified Asterisk Security Release certified-20.7-cert11
Asterisk Development Team via Fulldisclosure · 2026-07-03 · via Full Disclosure
fulldisclosure logo

Full Disclosure mailing list archives


From: Asterisk Development Team via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 25 Jun 2026 17:08:07 +0000

The Asterisk Development Team would like to announce security release  
Certified Asterisk 20.7-cert11.

The release artifacts are available for immediate download at  
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert11
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert11


## Change Log for Release asterisk-certified-20.7-cert11

### Links:

 - [Full 
ChangeLog](https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-20.7-cert11.html)
  
 - [GitHub Diff](https://github.com/asterisk/asterisk/compare/certified-20.7-cert10...certified-20.7-cert11)  
 - [Tarball](https://downloads.asterisk.org/pub/telephony/certified-asterisk/asterisk-certified-20.7-cert11.tar.gz)  
 - [Downloads](https://downloads.asterisk.org/pub/telephony/certified-asterisk)  

### Summary:

- Commits: 18
- Commit Authors: 7
- Issues Resolved: 0
- Security Advisories Resolved: 18
  - [GHSA-3g56-cgrh-95p5](https://github.com/asterisk/asterisk/security/advisories/GHSA-3g56-cgrh-95p5): chan_unistim 
DIALPAGE digit handling can overflow phone_number and crash Asterisk
  - [GHSA-3rhj-hhw7-m6fw](https://github.com/asterisk/asterisk/security/advisories/GHSA-3rhj-hhw7-m6fw): NULL Pointer 
Dereference in HTTP AMI Digest Authentication
  - [GHSA-4pgv-j3mr-3rcp](https://github.com/asterisk/asterisk/security/advisories/GHSA-4pgv-j3mr-3rcp): Reflected XSS 
in Phone Provisioning HTTP Error Pages
  - [GHSA-589g-qgf8-m6mx](https://github.com/asterisk/asterisk/security/advisories/GHSA-589g-qgf8-m6mx): Stack buffer 
overflow in MWI NOTIFY Message-Account parsing
  - [GHSA-746q-794h-cc7f](https://github.com/asterisk/asterisk/security/advisories/GHSA-746q-794h-cc7f): Out-of-Bounds 
Read in Q.931 Information Element Parser (H.323 Addon)
  - [GHSA-8jhw-m2hg-vp3h](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jhw-m2hg-vp3h): Heap Buffer 
Overflow in OGG/Speex File Playback (format_ogg_speex)
  - [GHSA-8jw3-ccr9-xrmf](https://github.com/asterisk/asterisk/security/advisories/GHSA-8jw3-ccr9-xrmf): Buffer 
over-read in Asterisk PJSIP MWI body parser
  - [GHSA-g8q2-p36q-94f6](https://github.com/asterisk/asterisk/security/advisories/GHSA-g8q2-p36q-94f6): 
Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  - [GHSA-j2mm-57pq-jh94](https://github.com/asterisk/asterisk/security/advisories/GHSA-j2mm-57pq-jh94): Possible RED 
T.140 Generation Accumulation OOB Write
  - [GHSA-mxgm-8c6f-5p8f](https://github.com/asterisk/asterisk/security/advisories/GHSA-mxgm-8c6f-5p8f): Stack buffer 
overflow in res_xmpp XMPP namespace prefix handling
  - [GHSA-ph27-3m5q-mj5m](https://github.com/asterisk/asterisk/security/advisories/GHSA-ph27-3m5q-mj5m): SQL Injection 
in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  - [GHSA-q9fr-m7g8-6ph5](https://github.com/asterisk/asterisk/security/advisories/GHSA-q9fr-m7g8-6ph5): Asterisk 
app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  - [GHSA-qf8j-jp7h-c5hx](https://github.com/asterisk/asterisk/security/advisories/GHSA-qf8j-jp7h-c5hx): Out-of-Bounds 
Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  - [GHSA-r6c2-hwc2-j4mp](https://github.com/asterisk/asterisk/security/advisories/GHSA-r6c2-hwc2-j4mp): LDAP Filter 
Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  - [GHSA-vfhr-r9x9-c687](https://github.com/asterisk/asterisk/security/advisories/GHSA-vfhr-r9x9-c687): Possible RED 
T.140 Heap Buffer Overflow
  - [GHSA-vrfp-mg3q-3959](https://github.com/asterisk/asterisk/security/advisories/GHSA-vrfp-mg3q-3959): ARI 
setChannelVar bypasses live_dangerously and permits FILE() writes
  - [GHSA-x348-j6c9-77f3](https://github.com/asterisk/asterisk/security/advisories/GHSA-x348-j6c9-77f3): Stack Buffer 
Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  - [GHSA-xgj6-2gc5-5x9c](https://github.com/asterisk/asterisk/security/advisories/GHSA-xgj6-2gc5-5x9c): ast_loggrabber 
executes python script in world writable directory(`/tmp`) leading to potential privilege escalation And RCE

### User Notes:


### Upgrade Notes:


### Developer Notes:

- #### ARI: Make ARI applications respect live_dangerously.
  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959


### Commit Authors:

- George Joseph: (5)
- Joshua C. Colp: (1)
- Mike Bradeen: (2)
- Milan Kyselica: (7)
- Pengpeng Hou: (1)
- Roberto Paleari: (1)
- ThatTotallyRealMyth: (1)

## Issue and Commit Detail:

### Closed Issues:

  - !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  - !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  - !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  - !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  - !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  - !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  - !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  - !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP 
processing
  - !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  - !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  - !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  - !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  - !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  - !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information 
Disclosure)
  - !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  - !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  - !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  - !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(`/tmp`) leading to 
potential privilege escalation And RCE

### Commits By Author:

- #### George Joseph (5):
  - chan_unistim.c: Prevent overrun of phone_number field.
  - pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  - ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  - ARI: Make ARI applications respect live_dangerously.
  - res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

- #### Joshua C. Colp (1):
  - build: Fix GCC discarded-qualifiers const errors.

- #### Mike Bradeen (2):
  - manager: Use remote address in user error logging
  - ooh323: Prevent potential buffer overflow in trace logging

- #### Milan Kyselica (7):
  - res_xmpp: Fix stack buffer overflow in namespace prefix handling
  - res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  - res_config_ldap: Escape LDAP filter values per RFC 4515
  - cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  - http: Escape error page text to prevent reflected XSS
  - codec_codec2: Only process complete Codec2 frames in decoder
  - format_ogg_speex: Add bounds check to prevent heap buffer overflow

- #### Pengpeng Hou (1):
  - app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

- #### Roberto Paleari (1):
  - res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

- #### ThatTotallyRealMyth (1):
  - ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

### Commit List:

-  ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
-  chan_unistim.c: Prevent overrun of phone_number field.
-  pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
-  ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
-  ARI: Make ARI applications respect live_dangerously.
-  res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
-  res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
-  manager: Use remote address in user error logging
-  ooh323: Prevent potential buffer overflow in trace logging
-  app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
-  res_xmpp: Fix stack buffer overflow in namespace prefix handling
-  res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
-  res_config_ldap: Escape LDAP filter values per RFC 4515
-  cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
-  http: Escape error page text to prevent reflected XSS
-  codec_codec2: Only process complete Codec2 frames in decoder
-  format_ogg_speex: Add bounds check to prevent heap buffer overflow
-  build: Fix GCC discarded-qualifiers const errors.

### Commit Details:

#### ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
  Author: ThatTotallyRealMyth
  Date:   2026-03-19

  The ast_tsconvert.py script called by ast_loggrabber is now installed in a
  temporary directory that isn't world readable or writable.

  Resolves: #GHSA-xgj6-2gc5-5x9c

#### chan_unistim.c: Prevent overrun of phone_number field.
  Author: George Joseph
  Date:   2026-06-15

  Add a check to key_dial_page() to ensure that dialed digits won't overrun
  the phone_number field.

  Resolves: #GHSA-3g56-cgrh-95p5

#### pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  Author: George Joseph
  Date:   2026-06-10

  The filter_on_tx_message() function was using pj_strassign() to save the pointer
  of the pjproject transport local address to a local pj_str_t variable.  That
  variable was ultimately used to set the Contact header's uri->host and the SDP
  connection attribute's address again using pj_strassign.  pj_strassign() doesn't
  copy the actual value of the pj_str_t however, it just copies the pointer so
  if a connection-oriented transport is disconnected before the 200 OK with the
  SDP is sent, those pointers will be invalid which can cause use-after-free
  issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
  tdata->pool as the backing store to save the local IP address to the local
  variable.  pj_strassign() can then be used safely later on since the tdata
  will be available for the life of the transaction.

  Resolves: #GHSA-g8q2-p36q-94f6

#### ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  Author: George Joseph
  Date:   2026-06-02

  Several bounds checks have been edded to ooQ931Decode to prevent it from
  running past the end of the data buffer when parsing information elements.

  Resolves: #GHSA-746q-794h-cc7f

#### ARI: Make ARI applications respect live_dangerously.
  Author: George Joseph
  Date:   2026-05-21

  DeveloperNote: ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.

  Resolves: #GHSA-vrfp-mg3q-3959

#### res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
  Author: George Joseph
  Date:   2026-04-27

  * Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

  * Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

  Resolves: #GHSA-vfhr-r9x9-c687
  Resolves: #GHSA-j2mm-57pq-jh94

#### res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
  Author: Roberto Paleari
  Date:   2026-04-29

  Add constraint checks to prevent unauthenticated users from crashing Asterisk
  instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
  application/simple-message-summary".

  Resolves: #GHSA-8jw3-ccr9-xrmf

#### manager: Use remote address in user error logging
  Author: Mike Bradeen
  Date:   2026-03-30

  To avoid a potential null dereference use the remote address
  in error logging when there is no user or the user acl fails.

  Resolves: #GHSA-3rhj-hhw7-m6fw

#### ooh323: Prevent potential buffer overflow in trace logging
  Author: Mike Bradeen
  Date:   2026-03-31

  Replace a call to vsprintf with a call to ast_vasprintf to
  prevent a possible buffer overflow.

  Resolves: #GHSA-x348-j6c9-77f3

#### app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
  Author: Pengpeng Hou
  Date:   2026-04-01

  The protocol 1 unpack helpers trusted externally controlled lengths and wrote
   them directly into fixed-size buffers in sms_t. Clamp the address, header,
   and body copies to the destination array sizes so malformed messages cannot
   overwrite adjacent state.

  Resolves: #GHSA-q9fr-m7g8-6ph5

#### res_xmpp: Fix stack buffer overflow in namespace prefix handling
  Author: Milan Kyselica
  Date:   2026-03-26

  The snprintf size parameter in xmpp_action_hook() is computed from
  the attacker-controlled namespace prefix length and is not bounded
  by the 256-byte stack buffer size. When a remote XMPP peer sends a
  stanza with a child element whose namespace prefix exceeds 249
  characters, snprintf writes past the buffer boundary.

  Use sizeof(attr) as the snprintf size limit and %.*s precision to
  extract only the prefix portion of the element name, preserving
  the original truncation behavior for valid inputs.

  Resolves: #GHSA-mxgm-8c6f-5p8f

#### res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  Author: Milan Kyselica
  Date:   2026-03-24

  The parse_simple_message_summary() function uses sscanf with an
  unbounded %s format specifier to parse the Message-Account field
  from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
  buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
  with a Message-Account value exceeding 512 bytes overflows the
  buffer, corrupting adjacent stack data and permanently disabling
  the PJSIP transport layer without crashing the process.

  Add a width specifier (%511s) to limit the sscanf write to
  PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
  the destination buffer size.

  Resolves: #GHSA-589g-qgf8-m6mx

#### res_config_ldap: Escape LDAP filter values per RFC 4515
  Author: Milan Kyselica
  Date:   2026-03-23

  The LDAP realtime driver constructs search filters by directly
  concatenating user-supplied values without RFC 4515 escaping.
  When LDAP is used as a realtime backend for endpoint
  identification, characters with special meaning in LDAP filters
  (*, (, ), \) can be injected via the SIP From header username.

  Add ldap_filter_escape_value() that escapes RFC 4515 special
  characters to their \HH hex representation, and apply it to
  non-LIKE query values. The LIKE query path preserves the existing
  wildcard conversion behavior with a note for maintainers.

  Resolves: #GHSA-r6c2-hwc2-j4mp

#### cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  Author: Milan Kyselica
  Date:   2026-03-23

  The eventtype column handler in cel_pgsql.c inserts
  record.user_defined_name directly into the SQL query without
  calling PQescapeStringConn(), while all other string fields in
  the same function are properly escaped. Similarly, cel_tds.c
  passes the raw user_defined_name into the SQL INSERT without
  routing it through anti_injection(), while all other fields are
  processed through that function.

  For cel_pgsql.c, escape the eventtype value using
  PQescapeStringConn(), matching the existing pattern used for all
  other string fields at lines 308-331 of the same function.

  For cel_tds.c, route the eventtype value through
  anti_injection() consistent with how all other fields are handled
  in the same function.

  Resolves: #GHSA-ph27-3m5q-mj5m

#### http: Escape error page text to prevent reflected XSS
  Author: Milan Kyselica
  Date:   2026-04-08

  The text parameter in ast_http_create_response() is inserted into
  the HTML body without escaping, while the server name on the same
  page is properly escaped via ast_xml_escape(). When res_phoneprov
  passes the decoded request URI as the text of a 404 response, HTML
  metacharacters in the URI are rendered by the browser.

  Apply ast_xml_escape() to the text parameter before inserting it
  into the HTML template, using the same function already used for
  the server name.

  Resolves: #GHSA-4pgv-j3mr-3rcp

#### codec_codec2: Only process complete Codec2 frames in decoder
  Author: Milan Kyselica
  Date:   2026-04-08

  The codec2_samples() function uses floor division (160 * datalen/6)
  to compute expected output samples, but the decode loop condition
  (x < datalen) iterates with ceiling behavior when datalen is not a
  multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
  decode one extra frame beyond what the framework bounds check
  budgeted for, leading to an out-of-bounds write on the output buffer.

  Change the loop condition to only process complete frames, matching
  the floor-division behavior of codec2_samples(). This also prevents
  an out-of-bounds read on the input side when fewer than
  CODEC2_FRAME_LEN bytes remain.

  Resolves: #GHSA-qf8j-jp7h-c5hx

#### format_ogg_speex: Add bounds check to prevent heap buffer overflow
  Author: Milan Kyselica
  Date:   2026-03-23

  The ogg_speex_read() function copies OGG packet data via memcpy()
  without validating the packet size against the destination buffer
  (BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
  audio packet causes a heap buffer overflow that corrupts the
  adjacent speex_desc structure containing libogg heap pointers,
  leading to a crash (SIGSEGV) on playback.

  Add a bounds check for both negative and oversized values before
  the memcpy, consistent with how format_ogg_vorbis bounds its reads
  via ov_read().

  Resolves: #GHSA-8jhw-m2hg-vp3h

#### build: Fix GCC discarded-qualifiers const errors.
  Author: Joshua C. Colp
  Date:   2026-02-12

  GCC 15.2.1 pays attention to the discarding of the const
  qualifier when strchr, strrchr, memchr, or memrchr are now
  used. This change fixes numerous errors with this throughout
  the tree. The fixes can be broken down into the following:

  1. The return value should be considered const.
  2. The value passed to strchr or strrchr can be cast as it is
     expected and allowed to be modified.
  3. The pointer passed to strchr or strrchr is not meant to be
     modified and so the contents must be duplicated.
  4. It was declared const and never should have been.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


Current thread:

  • Certified Asterisk Security Release certified-20.7-cert11 Asterisk Development Team via Fulldisclosure (Jul 02)