Source: asterisk Version: 1:22.5.1~dfsg+~cs6.15.60671435-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for asterisk. CVE-2025-57767[0]: | Asterisk is an open source private branch exchange and telephony | toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP | request is received with an Authorization header that contains a | realm that wasn't in a previous 401 response's WWW-Authenticate | header, or an Authorization header with an incorrect realm was | received without a previous 401 response being sent, the | get_authorization_header() function in | res_pjsip_authenticator_digest will return a NULL. This wasn't being | checked before attempting to get the digest algorithm from the | header which causes a SEGV. This issue has been patched in versions | 20.15.2, 21.10.2, and 22.5.2. There are no workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-57767 https://www.cve.org/CVERecord?id=CVE-2025-57767 [1] https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j [2] https://github.com/asterisk/asterisk/pull/1407 [3] https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f Regards, Salvatore
