Your message dated Fri, 29 Aug 2025 21:21:31 +0000
with message-id <[email protected]>
and subject line Bug#1112470: fixed in asterisk 1:22.5.2~dfsg+~cs6.15.60671435-1
has caused the Debian Bug report #1112470,
regarding asterisk: CVE-2025-57767
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112470: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112470
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: asterisk
Version: 1:22.5.1~dfsg+~cs6.15.60671435-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for asterisk.
CVE-2025-57767[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP
| request is received with an Authorization header that contains a
| realm that wasn't in a previous 401 response's WWW-Authenticate
| header, or an Authorization header with an incorrect realm was
| received without a previous 401 response being sent, the
| get_authorization_header() function in
| res_pjsip_authenticator_digest will return a NULL. This wasn't being
| checked before attempting to get the digest algorithm from the
| header which causes a SEGV. This issue has been patched in versions
| 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-57767
https://www.cve.org/CVERecord?id=CVE-2025-57767
[1] https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j
[2] https://github.com/asterisk/asterisk/pull/1407
[3]
https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: asterisk
Source-Version: 1:22.5.2~dfsg+~cs6.15.60671435-1
Done: Jonas Smedegaard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[email protected]> (supplier of updated asterisk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 Aug 2025 22:00:21 +0200
Source: asterisk
Architecture: source
Version: 1:22.5.2~dfsg+~cs6.15.60671435-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Jonas Smedegaard <[email protected]>
Closes: 1112470
Changes:
asterisk (1:22.5.2~dfsg+~cs6.15.60671435-1) unstable; urgency=medium
.
[ upstream ]
* new release(s)
+ A specifically malformed Authorization header
in an incoming SIP request can cause Asterisk to crash
CVE-2025-57767;
closes: bug#1112470, thanks to Salvatore Bonaccorso
.
[ Jonas Smedegaard ]
* update copyright info:
+ strip upstream-autogenerated file README.html
from repackaged source
* update watch file: use file format 5
Checksums-Sha1:
d8e852a3c806cc7b21e15195ce63ea4a1289b255 5438
asterisk_22.5.2~dfsg+~cs6.15.60671435-1.dsc
fab723ada342f11d062f1d17e0cbbe05ce67b3b8 11276
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
3d0a0b6cd89a39935fd096e2ef6e79ba8302c8eb 22024
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
793b7a53dfb62a56e0ac144016830a9b52e9fe75 22556
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
6ea3ab145346244ac8343e00b4c4084ff4a3be35 6401560
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
51b9481dd1c17a986eac40c7901e13f15a2a56f1 6042892
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig.tar.xz
bf71582fdc2ccf25ecbfb84d3699272ece8624d2 122988
asterisk_22.5.2~dfsg+~cs6.15.60671435-1.debian.tar.xz
a0837540b0ba0a761de9ab89cd179f1c3a275b66 24999
asterisk_22.5.2~dfsg+~cs6.15.60671435-1_amd64.buildinfo
Checksums-Sha256:
634a4cc7eb090f843892d1567b8a5b13d376a7f2b178c4b4da2baf4fc024c653 5438
asterisk_22.5.2~dfsg+~cs6.15.60671435-1.dsc
33cdfabac457e18580c63bb4707e16a991ea3d772229d0dd37e134f494d8d70f 11276
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
a5316a4cf442be734e050d6fcd28ee23d7057d0cc546413aa75872b84e979f21 22024
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
6bc226a2fd01f10fb6155e23be637ed212fea11be0bab2b6c16f8e47dcbc3e9b 22556
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
0c7ec0d0fa62c7987671c08b67d6e1cbf5f34f6d1f1f18cc5e7e6cb5f331ccd4 6401560
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
221311daf0ebd6b7f836377659419981dc9a8ebd1ea9eb65791086bf154f0581 6042892
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig.tar.xz
c4277fa6a0446615ab907af2ed1ed7e052b9016b7ee6b4646d8b9a795b1ead35 122988
asterisk_22.5.2~dfsg+~cs6.15.60671435-1.debian.tar.xz
a788a275506f814b51a1a0ee8de62995add056c6868c1b1185f45e0572fa7300 24999
asterisk_22.5.2~dfsg+~cs6.15.60671435-1_amd64.buildinfo
Files:
15e91875e54e820ddabe44731f23e87f 5438 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435-1.dsc
fdccb2ab4cc1291b171ab4bff308252b 11276 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
5bdeadbbd8e5b6cc2f65a846e6859b7e 22024 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
9d9968f788e7837d3f4a23f4a3ceb830 22556 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
3b51ffaf78ad427e452807fa01e860f5 6401560 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
329bc8324fed62238627ae5cbb7fdbc1 6042892 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435.orig.tar.xz
656c199c6cbd98e4b1c68e537d7086d4 122988 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435-1.debian.tar.xz
116472b8b8b2970ac672fa0be85060cb 24999 comm optional
asterisk_22.5.2~dfsg+~cs6.15.60671435-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJosgu/CRAsfDFGwaABIUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeGgzhqMyHijO+dh3zsm9xD+zG2/QqOqxjOsThuQCzT
ghYhBJ/j6cNmkaaf9TzGhCx8MUbBoAEhAADD5w/+NpROvm9n31tzZYPzb+jDnCtk
e0wyv+w+ziKOVlCimIauaU1JwRuvvvrsnxb4b42EdccZzKserLivLhPJyN1OCWMt
CMVtFYPmcR71WE+puLQOjjTF+jws6SwtTA6UYfFXSZ38vk7V5P34JWL2BQdJn7Pq
RWkv9/hKg9cWsODhlk5Eu6RLJ44ARgpAurvzFQRXIMtwqPxReKCNyHRKWeB0Mr9W
xCIJaZ/CocISr0ZCNR25EEomLONdXs++X+vNWN12+b75OeKVZj55LuHnlNmJPpcZ
6yZ8dTEwxPcDf/mum+HR/4r59F8lcFmCQFEWCetrUAsXh8tuYZAQKyOZEOO5kL+o
k/s8/ie7taWUm4FsPIeiizvTTmegJn/RB2+hKPkAF2AQmnUeXzxD7WrVso83Bwxn
Evq31Ar6J1EUVCgtg8UfxelxeTDnsa4lNVk+h/kYWqSWDY+GebBz6bL5Sl6bpJC0
XF+ExFNskkNgq3P5W1wn7eXUrFT1dQhKhlTh243PUT4o92mtOcyKvZb/t/OV3LGq
bb/nGnO+X1k4dB1cMzT7XmGJV3P3nPZSp2auUnKH0yNleKbBsZlUR2TjFKnlBpUy
CM1mGwn2bsW3sMv1HQxmtaK6u5n6vDkUSzH7pcMtU85/LXpe3VhnPuDDn7QMl1xi
MF0QVtMxAz26w4i5ERw=
=aC0j
-----END PGP SIGNATURE-----
pgpdMfQq6GkQR.pgp
Description: PGP signature
--- End Message ---
