Hi there
On 09/02/2026 10:25, Rob van der Putten wrote:
On 09/02/2026 09:44, Tim Woodall wrote:
On Mon, 9 Feb 2026, Rob van der Putten wrote:
On 08/02/2026 22:04, Jeffrey Walton wrote:
On Sat, Feb 7, 2026 at 4:58?AM Rob van der Putten <[email protected]
<mailto:[email protected]>> wrote:
Hi there
I currently run Asterisk 16 on a Debian 12 / Bookworm box, which is
like
installing Asterisk on Debian 11 / Bullseye and then upgrading
to 12.
As far as I can tell, this won't work on 13 / Trixie.
From the libgnutls30t64 control;
Breaks: libgnutls30 (<< 3.8.9-3+deb13u1)
Replaces: libgnutls30
Provides: libgnutls30 (= 3.8.9-3+deb13u1)
This leaves me with two options:
- Download Asterisk from the Asterisk site and then compile.
- Backport Asterisk 22 from Debian Unstable / Sid to Debian 13
As a little test I build a backport to 12. This does produce
packages,
but I did not test these.
So what does one recommend?
You should probably build a modern version of Astersik on your own.
I was just reading about the latest releases of Astersik due to
security bugs. The latest Astersik versions are 23.2.2 and 22.8.2
(and 21.12.1 and 20.18.2). Also see <https://seclists.org/
fulldisclosure/2026/Feb/ <https://seclists.org/fulldisclosure/2026/
Feb/>> and <https:// github.com/asterisk/asterisk <https://
github.com/asterisk/asterisk>>.
The speed at which security patches are implemented is an issue. I'm
not sure what a releasable time would be.
One of the difficulties with asterisk security is that few people run
a truely open system, and most setups use a tiny frsction of the
possible configuration options.
This means that even easily exploitable bugs might, in practice, be
vanisingly unlikely to be exposed to attackers.
In my own setup, only whitelisted clients can connect and I only use
pjsip. Firewalling is independent of asterisk. Therefore it's unlikely
that a bug in asterisk is actually exploitable on my setup. (I still
keep up-to-date with latest sid but I don't subscribe to bug/security
lists)
With a default Debian install, the files in /etc/asterisk/ are owned
asterisk:asterisk. I always change that to root:asterisk. This way the
daemon can't write to it's own config files.
And there is a firewall and access control lists.
So I'm not overly worried.
Whenever I build a backport I install a cron job to keep track of
changes. Currently that's a cronjob for RDAP.
Asterisk in Sid just changed from 20.8.0 to 20.8.2. So that's four days
after the original security release.
Building the backport complains about missing symbols.
As it turns out, some of those are in the asterisk binary. Th rest is in
glibc.
Now I know where to look for missing symbols.
Regards,
Rob
--
Safe internet for everyone: <https://www.freedom.nl/en>
