| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <db5de662-9a09-3b49-1388-7e9201f25b05@sangoma.com> Date: Thu, 09 Jan 2025 20:22:31 +0000 From: Asterisk Development Team via Fulldisclosure <fulldisclosure@...lists.org> To: asterisk-dev@...ups.io, voipsec@...psa.org, fulldisclosure@...lists.org, asterisk+news@...coursemail.com Cc: Asterisk Development Team <asteriskteamsa@...goma.com> Subject: [FD] Certified Asterisk Security Release certified-20.7-cert4 The Asterisk Development Team would like to announce security release Certified Asterisk 20.7-cert4. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert4 and https://downloads.asterisk.org/pub/telephony/certified-asterisk Repository: https://github.com/asterisk/asterisk Tag: certified-20.7-cert4 ## Change Log for Release asterisk-certified-20.7-cert4 ### Links: - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-20.7-cert4.md) - [GitHub Diff](https://github.com/asterisk/asterisk/compare/certified-20.7-cert3...certified-20.7-cert4) - [Tarball](https://downloads.asterisk.org/pub/telephony/certified-asterisk/asterisk-certified-20.7-cert4.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/certified-asterisk) ### Summary: - Commits: 1 - Commit Authors: 1 - Issues Resolved: 0 - Security Advisories Resolved: 1 - [GHSA-33x6-fj46-6rfh](https://github.com/asterisk/asterisk/security/advisories/GHSA-33x6-fj46-6rfh): Path traversal via AMI ListCategories allows access to outside files ### User Notes: - #### manager.c: Restrict ListCategories to the configuration directory. The ListCategories AMI action now restricts files to the configured configuration directory. ### Upgrade Notes: ### Commit Authors: - Ben Ford: (1) ## Issue and Commit Detail: ### Closed Issues: - !GHSA-33x6-fj46-6rfh: Path traversal via AMI ListCategories allows access to outside files ### Commits By Author: - #### Ben Ford (1): - manager.c: Restrict ListCategories to the configuration directory. ### Commit List: - manager.c: Restrict ListCategories to the configuration directory. ### Commit Details: #### manager.c: Restrict ListCategories to the configuration directory. Author: Ben Ford Date: 2024-12-17 When using the ListCategories AMI action, it was possible to traverse upwards through the directories to files outside of the configured configuration directory. This action is now restricted to the configured directory and an error will now be returned if the specified file is outside of this limitation. Resolves: #GHSA-33x6-fj46-6rfh UserNote: The ListCategories AMI action now restricts files to the configured configuration directory. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists