Source: asterisk Version: 1:22.8.0+dfsg+~cs6.15.60671435-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for asterisk. CVE-2026-23738[0]: | Asterisk is an open source private branch exchange and telephony | toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and | 23.2.2, user supplied/control values for Cookies and any GET | variable query Parameter are directly interpolated into the HTML of | the page using ast_str_append. The endpoint at GET /httpstatus is | the potential vulnerable endpoint relating to asterisk/main /http.c. | This issue has been patched in versions 20.7-cert9, 20.18.2, | 21.12.1, 22.8.2, and 23.2.2. CVE-2026-23739[1]: | Asterisk is an open source private branch exchange and telephony | toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and | 23.2.2, the ast_xml_open() function in xml.c parses XML documents | using libxml with unsafe parsing options that enable entity | expansion and XInclude processing. Specifically, it invokes | xmlReadFile() with the XML_PARSE_NOENT flag and later processes | XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied | XML file is passed to this function, it can allow an attacker to | trigger XML External Entity (XXE) or XInclude-based local file | disclosure, potentially exposing sensitive files from the host | system. This can also be triggered in other cases in which the user | is able to supply input in xml format that triggers the asterisk | process to parse it. This issue has been patched in versions | 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. CVE-2026-23740[2]: | Asterisk is an open source private branch exchange and telephony | toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and | 23.2.2, when ast_coredumper writes its gdb init and output files to | a directory that is world-writable (for example /tmp), an attacker | with write permission(which is all users on a linux system) to that | directory can cause root to execute arbitrary commands or overwrite | arbitrary files by controlling the gdb init file and output paths. | This issue has been patched in versions 20.7-cert9, 20.18.2, | 21.12.1, 22.8.2, and 23.2.2. CVE-2026-23741[3]: | Asterisk is an open source private branch exchange and telephony | toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and | 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as | noted by the NOTES tag on line 689 of the ast_coredumper file. The | script will source the contents of | /etc/asterisk/ast_debug_tools.conf, which resides in a folder that | is writeable by the asterisk user:group. Due to the | /etc/asterisk/ast_debug_tools.conf file following bash semantics and | it being loaded; an attacker with write permissions may add or | modify the file such that when the root ast_coredumper is run; it | would source and thereby execute arbitrary bash code found in the | /etc/asterisk/ast_debug_tools.conf. This issue has been patched in | versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23738 https://www.cve.org/CVERecord?id=CVE-2026-23738 [1] https://security-tracker.debian.org/tracker/CVE-2026-23739 https://www.cve.org/CVERecord?id=CVE-2026-23739 [2] https://security-tracker.debian.org/tracker/CVE-2026-23740 https://www.cve.org/CVERecord?id=CVE-2026-23740 [3] https://security-tracker.debian.org/tracker/CVE-2026-23741 https://www.cve.org/CVERecord?id=CVE-2026-23741 FWIW, yes CVE-2026-23739 would not warrant even an important severity bug, as asterisk does not allow untrusted or user-supplied XML to be used, but I'm just filling here one bug for all four new CVEs. Regards, Salvatore
