| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0100019c2eb50d6b-19a1038f-fe64-4879-87ad-95c22d4690a8-000000@email.amazonses.com> Date: Thu, 5 Feb 2026 16:49:03 +0000 From: Asterisk Development Team via Fulldisclosure <fulldisclosure@...lists.org> To: asterisk-dev@...ups.io, fulldisclosure@...lists.org, asterisk+news@...coursemail.com Cc: Asterisk Development Team <asteriskteam@...goma.com> Subject: [FD] Asterisk Security Release 20.18.2 The Asterisk Development Team would like to announce security release Asterisk 20.18.2. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/20.18.2 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 20.18.2 ## Change Log for Release asterisk-20.18.2 ### Links: - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-20.18.2.html) - [GitHub Diff](https://github.com/asterisk/asterisk/compare/20.18.1...20.18.2) - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-20.18.2.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) ### Summary: - Commits: 4 - Commit Authors: 2 - Issues Resolved: 0 - Security Advisories Resolved: 4 - [GHSA-85x7-54wr-vh42](https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42): Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection - [GHSA-rvch-3jmx-3jf3](https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3): ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation - [GHSA-v6hp-wh3r-cwxh](https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh): The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization - [GHSA-xpc6-x892-v83c](https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c): ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation ### User Notes: - #### ast_coredumper: check ast_debug_tools.conf permissions ast_debug_tools.conf must be owned by root and not be writable by other users or groups to be used by ast_coredumper or by ast_logescalator or ast_loggrabber when run as root. ### Upgrade Notes: - #### http.c: Change httpstatus to default disabled and sanitize output. To prevent possible security issues, the `/httpstatus` page served by the internal web server is now disabled by default. To explicitly enable it, set `enable_status=yes` in http.conf. ### Developer Notes: ### Commit Authors: - George Joseph: (2) - Mike Bradeen: (2) ## Issue and Commit Detail: ### Closed Issues: - !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection - !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation - !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization - !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation ### Commits By Author: - #### George Joseph (2): - #### Mike Bradeen (2): ### Commit List: - xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile. - ast_coredumper: check ast_debug_tools.conf permissions - http.c: Change httpstatus to default disabled and sanitize output. - ast_coredumper: create gdbinit file with restrictive permissions ### Commit Details: #### xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile. Author: George Joseph Date: 2026-01-15 The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external entities, could allow a potential XXE injection attack. Replacing it with XML_PARSE_NONET, which prevents network access, is safer. Resolves: #GHSA-85x7-54wr-vh42 #### ast_coredumper: check ast_debug_tools.conf permissions Author: Mike Bradeen Date: 2026-01-15 Prevent ast_coredumper from using ast_debug_tools.conf files that are not owned by root or are writable by other users or groups. Prevent ast_logescalator and ast_loggrabber from doing the same if they are run as root. Resolves: #GHSA-rvch-3jmx-3jf3 UserNote: ast_debug_tools.conf must be owned by root and not be writable by other users or groups to be used by ast_coredumper or by ast_logescalator or ast_loggrabber when run as root. #### http.c: Change httpstatus to default disabled and sanitize output. Author: George Joseph Date: 2026-01-15 To address potential security issues, the httpstatus page is now disabled by default and the echoed query string and cookie output is html-escaped. Resolves: #GHSA-v6hp-wh3r-cwxh UpgradeNote: To prevent possible security issues, the `/httpstatus` page served by the internal web server is now disabled by default. To explicitly enable it, set `enable_status=yes` in http.conf. #### ast_coredumper: create gdbinit file with restrictive permissions Author: Mike Bradeen Date: 2026-01-15 Modify gdbinit to use the install command with explicit permissions (-m 600) when creating the .ast_coredumper.gdbinit file. This ensures the file is created with restricted permissions (readable/writable only by the owner) to avoid potential privilege escalation. Resolves: #GHSA-xpc6-x892-v83c _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists