Your message dated Fri, 26 Jun 2026 23:11:59 +0200
with message-id <[email protected]>
and subject line Re: Bug#1136007: asterisk: CVE-2026-42225
has caused the Debian Bug report #1136007,
regarding asterisk: CVE-2026-42225
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136007
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: asterisk
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for asterisk.
CVE-2026-42225[0]:
| PJSIP is a free and open source multimedia communication library
| written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS
| transport (sip_transport_tls) can accept connections with invalid or
| untrusted certificates even when the application explicitly enables
| certificate verification via verify_server = PJ_TRUE or
| verify_client = PJ_TRUE. This issue has been patched in version
| 2.17.
https://github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmx
https://github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920
(2.17)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-42225
https://www.cve.org/CVERecord?id=CVE-2026-42225
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 1:22.10.0+dfsg+~cs6.17.60671434-1
Quoting Moritz Mühlenhoff (2026-05-08 15:13:54)
> Source: asterisk
> X-Debbugs-CC: [email protected]
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for asterisk.
>
> CVE-2026-42225[0]:
> | PJSIP is a free and open source multimedia communication library
> | written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS
> | transport (sip_transport_tls) can accept connections with invalid or
> | untrusted certificates even when the application explicitly enables
> | certificate verification via verify_server = PJ_TRUE or
> | verify_client = PJ_TRUE. This issue has been patched in version
> | 2.17.
>
> https://github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmx
> https://github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920
> (2.17)
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2026-42225
> https://www.cve.org/CVERecord?id=CVE-2026-42225
>
> Please adjust the affected versions in the BTS as needed.
This was fixed in pjproject 2.17, included since asterisk 22.10.0.
Closing as fixed since Debian packaging release
1:22.10.0+dfsg+~cs6.17.60671434-1.
Thanks,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones
[x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
--- End Message ---