Search for packages
Package details: pkg:deb/debian/asterisk@1:16.28.0~dfsg-0%2Bdeb11u4
purl pkg:deb/debian/asterisk@1:16.28.0~dfsg-0%2Bdeb11u4
Next non-vulnerable version 1:22.4.1~dfsg+~cs6.15.60671435-2
Latest non-vulnerable version 1:22.4.1~dfsg+~cs6.15.60671435-2
Risk 10.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-2sqb-p9p3-aaam
Aliases:
CVE-2024-42365
asterisk: From NVD collector
1:20.9.3~dfsg+~cs6.14.60671435-1
Affected by 0 other vulnerabilities.
1:22.0.0~dfsg+~cs6.14.60671435-1
Affected by 0 other vulnerabilities.
1:22.1.0~dfsg+~cs6.14.60671435-1
Affected by 0 other vulnerabilities.
1:22.2.0~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.3.0~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
VCID-8uv1-cdwb-2uec
Aliases:
CVE-2025-47780
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
1:22.4.1~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.4.1~dfsg+~cs6.15.60671435-2
Affected by 0 other vulnerabilities.
VCID-9r3z-f4rc-9fek
Aliases:
CVE-2024-42491
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.
1:20.9.3~dfsg+~cs6.14.60671435-1
Affected by 0 other vulnerabilities.
1:22.0.0~dfsg+~cs6.14.60671435-1
Affected by 0 other vulnerabilities.
1:22.1.0~dfsg+~cs6.14.60671435-1
Affected by 0 other vulnerabilities.
1:22.2.0~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.3.0~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.4.1~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
VCID-cj97-awga-gycz
Aliases:
CVE-2024-57520
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function
1:22.3.0~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.4.1~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.4.1~dfsg+~cs6.15.60671435-2
Affected by 0 other vulnerabilities.
VCID-cug9-jj63-ffc1
Aliases:
CVE-2025-47779
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
1:22.4.1~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.4.1~dfsg+~cs6.15.60671435-2
Affected by 0 other vulnerabilities.
VCID-mq5t-mm81-xkhx
Aliases:
CVE-2024-53566
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal.
1:22.2.0~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
1:22.3.0~dfsg+~cs6.15.60671435-1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (4)
Vulnerability Summary Aliases
VCID-b5s1-e6fm-aaab Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue. CVE-2023-49294
VCID-djaa-ugv5-aaas PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch. CVE-2023-38703
VCID-f8fs-r198-aaaj Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6. CVE-2023-49786
VCID-uvk4-hnk6-aaaq Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa. CVE-2023-37457

Date Actor Action Vulnerability Source VulnerableCode Version
2025-06-22T11:57:11.740542+00:00 Debian Importer Fixing VCID-f8fs-r198-aaaj https://security-tracker.debian.org/tracker/data/json 36.1.3
2025-06-21T14:23:04.573852+00:00 Debian Importer Affected by VCID-cug9-jj63-ffc1 https://security-tracker.debian.org/tracker/data/json 36.1.3
2025-06-21T08:55:49.727747+00:00 Debian Importer Affected by VCID-cj97-awga-gycz https://security-tracker.debian.org/tracker/data/json 36.1.3
2025-06-21T06:01:21.090520+00:00 Debian Importer Fixing VCID-uvk4-hnk6-aaaq https://security-tracker.debian.org/tracker/data/json 36.1.3
2025-06-21T01:26:53.427605+00:00 Debian Importer Affected by VCID-8uv1-cdwb-2uec https://security-tracker.debian.org/tracker/data/json 36.1.3
2025-06-01T03:09:27.217552+00:00 Debian Importer Affected by VCID-cug9-jj63-ffc1 https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-05-31T16:16:22.826207+00:00 Debian Importer Affected by VCID-8uv1-cdwb-2uec https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-05-05T03:22:53.336974+00:00 Debian Importer Affected by VCID-2sqb-p9p3-aaam https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-04-24T21:24:16.763366+00:00 Debian Importer Affected by VCID-cj97-awga-gycz https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-04-13T03:09:12.563000+00:00 Debian Oval Importer Affected by VCID-mq5t-mm81-xkhx https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:12:28.703342+00:00 Debian Oval Importer Affected by VCID-9r3z-f4rc-9fek https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-13T02:12:27.933094+00:00 Debian Oval Importer Affected by VCID-2sqb-p9p3-aaam https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-12T22:41:24.651464+00:00 Debian Oval Importer Fixing VCID-f8fs-r198-aaaj https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-12T22:41:23.897797+00:00 Debian Oval Importer Fixing VCID-b5s1-e6fm-aaab https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-12T22:41:23.138335+00:00 Debian Oval Importer Fixing VCID-uvk4-hnk6-aaaq https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-12T22:41:22.384239+00:00 Debian Oval Importer Fixing VCID-djaa-ugv5-aaas https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.0.0
2025-04-07T02:03:33.671656+00:00 Debian Importer Affected by VCID-mq5t-mm81-xkhx https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-04-07T00:17:13.996003+00:00 Debian Importer Fixing VCID-b5s1-e6fm-aaab https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-04-06T22:29:06.661812+00:00 Debian Importer Affected by VCID-9r3z-f4rc-9fek https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-04-06T14:35:24.406327+00:00 Debian Importer Fixing VCID-djaa-ugv5-aaas https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-04-06T05:12:49.694914+00:00 Debian Importer Fixing VCID-f8fs-r198-aaaj https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-04-05T03:16:10.270997+00:00 Debian Importer Fixing VCID-uvk4-hnk6-aaaq https://security-tracker.debian.org/tracker/data/json 36.0.0
2025-02-22T05:40:05.074114+00:00 Debian Importer Affected by VCID-mq5t-mm81-xkhx https://security-tracker.debian.org/tracker/data/json 35.1.0
2025-02-22T02:46:45.826556+00:00 Debian Importer Affected by VCID-9r3z-f4rc-9fek https://security-tracker.debian.org/tracker/data/json 35.1.0
2025-02-22T02:46:14.877005+00:00 Debian Importer Affected by VCID-2sqb-p9p3-aaam https://security-tracker.debian.org/tracker/data/json 35.1.0
2025-02-21T14:56:20.813166+00:00 Debian Importer Fixing VCID-f8fs-r198-aaaj https://security-tracker.debian.org/tracker/data/json 35.1.0
2025-02-21T14:54:17.855970+00:00 Debian Importer Fixing VCID-b5s1-e6fm-aaab https://security-tracker.debian.org/tracker/data/json 35.1.0
2025-02-21T12:50:40.062195+00:00 Debian Importer Fixing VCID-djaa-ugv5-aaas https://security-tracker.debian.org/tracker/data/json 35.1.0
2025-02-21T12:30:30.096826+00:00 Debian Importer Fixing VCID-uvk4-hnk6-aaaq https://security-tracker.debian.org/tracker/data/json 35.1.0
2024-11-24T13:01:10.457178+00:00 Debian Importer Affected by VCID-9r3z-f4rc-9fek https://security-tracker.debian.org/tracker/data/json 35.0.0
2024-11-24T13:00:56.631371+00:00 Debian Importer Affected by VCID-2sqb-p9p3-aaam https://security-tracker.debian.org/tracker/data/json 35.0.0
2024-10-20T10:04:50.694017+00:00 Debian Importer Affected by VCID-9r3z-f4rc-9fek https://security-tracker.debian.org/tracker/data/json 34.0.2
2024-10-20T10:04:40.313769+00:00 Debian Importer Affected by VCID-2sqb-p9p3-aaam https://security-tracker.debian.org/tracker/data/json 34.0.2
2024-09-25T22:04:39.030620+00:00 Debian Importer Affected by VCID-9r3z-f4rc-9fek https://security-tracker.debian.org/tracker/data/json 34.0.1
2024-09-25T22:04:34.886157+00:00 Debian Importer Affected by VCID-2sqb-p9p3-aaam https://security-tracker.debian.org/tracker/data/json 34.0.1
2024-05-20T15:05:42.421915+00:00 Debian Importer Fixing VCID-f8fs-r198-aaaj https://security-tracker.debian.org/tracker/data/json 34.0.0rc4
2024-05-20T15:05:07.238778+00:00 Debian Importer Fixing VCID-b5s1-e6fm-aaab https://security-tracker.debian.org/tracker/data/json 34.0.0rc4
2024-04-26T04:20:16.755823+00:00 Debian Importer Fixing VCID-djaa-ugv5-aaas https://security-tracker.debian.org/tracker/data/json 34.0.0rc4
2024-04-26T04:08:04.955858+00:00 Debian Importer Fixing VCID-uvk4-hnk6-aaaq https://security-tracker.debian.org/tracker/data/json 34.0.0rc4