Source: asterisk Version: 1:22.3.0~dfsg+~cs6.15.60671435-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for asterisk. CVE-2025-47780[0]: | Asterisk is an open-source private branch exchange (PBX). Prior to | versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and | versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to | disallow shell commands to be run via the Asterisk command line | interface (CLI) by configuring `cli_permissions.conf` (e.g. with the | config line `deny=!*`) does not work which could lead to a security | risk. If an administrator running an Asterisk instance relies on the | `cli_permissions.conf` file to work and expects it to deny all | attempts to execute shell commands, then this could lead to a | security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and | 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of | certified-asterisk fix the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-47780 https://www.cve.org/CVERecord?id=CVE-2025-47780 [1] https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2 [2] https://github.com/asterisk/asterisk/commit/9bcdef268432e7591142b1b8de38b2e7871566a5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
