Bug#1110317: marked as done (asterisk: CVE-2025-49832)

Sun, 03 Aug 2025 02:37:18 -0700 

Your message dated Sun, 03 Aug 2025 09:34:27 +0000
with message-id <[email protected]>
and subject line Bug#1110317: fixed in asterisk 1:22.5.1~dfsg+~cs6.15.60671435-1
has caused the Debian Bug report #1110317,
regarding asterisk: CVE-2025-49832
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1110317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110317
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: asterisk
Version: 1:22.4.1~dfsg+~cs6.15.60671435-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for asterisk.

CVE-2025-49832[0]:
| Asterisk is an open source private branch exchange and telephony
| toolkit. In versions up to and including 18.26.2, between 20.00.0
| and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a
| remote DoS and possible RCE condition in
| `asterisk/res/res_stir_shaken /verification.c` that can be exploited
| when an attacker can set an arbitrary Identity header, or
| STIR/SHAKEN is enabled, with verification set in the SIP profile
| associated with the endpoint to be attacked. This is fixed in
| versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-49832
    https://www.cve.org/CVERecord?id=CVE-2025-49832
[1] https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: asterisk
Source-Version: 1:22.5.1~dfsg+~cs6.15.60671435-1
Done: Jonas Smedegaard <[email protected]>

We believe that the bug you reported is fixed in the latest version of
asterisk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <[email protected]> (supplier of updated asterisk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Aug 2025 11:18:38 +0200
Source: asterisk
Architecture: source
Version: 1:22.5.1~dfsg+~cs6.15.60671435-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Jonas Smedegaard <[email protected]>
Closes: 1110317
Changes:
 asterisk (1:22.5.1~dfsg+~cs6.15.60671435-1) unstable; urgency=medium
 .
   [ upstream ]
   * new release(s)
     + test for missing semicolon in res_stir_shaken Identity header;
       CVE-2025-49832;
       closes: bug#1110317, thanks to Salvatore Bonaccorso
Checksums-Sha1:
 e689cbe051944fd6736dddb5e6236c8ade58d110 5438 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1.dsc
 fab723ada342f11d062f1d17e0cbbe05ce67b3b8 11276 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
 3d0a0b6cd89a39935fd096e2ef6e79ba8302c8eb 22024 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
 793b7a53dfb62a56e0ac144016830a9b52e9fe75 22556 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
 6ea3ab145346244ac8343e00b4c4084ff4a3be35 6401560 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
 413bf3c3ab5bfa13ed80831d515831a023efceb7 6044428 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig.tar.xz
 8d9e9a3b274953d091c86ad238fa72321426b056 123044 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1.debian.tar.xz
 48fac1fb5b19d404f32a455caa891d4ba0fcbc61 24996 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1_amd64.buildinfo
Checksums-Sha256:
 32d755fee923da606bafa04a9c2e6d03a13d38bef1c57e946ea102e8d411ea62 5438 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1.dsc
 33cdfabac457e18580c63bb4707e16a991ea3d772229d0dd37e134f494d8d70f 11276 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
 a5316a4cf442be734e050d6fcd28ee23d7057d0cc546413aa75872b84e979f21 22024 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
 6bc226a2fd01f10fb6155e23be637ed212fea11be0bab2b6c16f8e47dcbc3e9b 22556 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
 0c7ec0d0fa62c7987671c08b67d6e1cbf5f34f6d1f1f18cc5e7e6cb5f331ccd4 6401560 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
 d5b6b8fd715c02e8eccc006633f128c64f8014d21ddb56f1b86391873f83efad 6044428 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig.tar.xz
 c0125d5132b1b7468796254d2dd259e07bfeee6f5cdad8ef435f16bf2575969d 123044 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1.debian.tar.xz
 860344d097935c117120b3fb0dd3a7ed2ee6b87a74bfc7430e2cbbc199d1531b 24996 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1_amd64.buildinfo
Files:
 a13c3d85d1c725bfc06435c401ce1b3e 5438 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1.dsc
 fdccb2ab4cc1291b171ab4bff308252b 11276 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xamr.tar.xz
 5bdeadbbd8e5b6cc2f65a846e6859b7e 22024 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xmp3.tar.xz
 9d9968f788e7837d3f4a23f4a3ceb830 22556 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xopus.tar.xz
 3b51ffaf78ad427e452807fa01e860f5 6401560 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig-Xpjproject.tar.xz
 1293f81b90a4ba93ac19ba66ac8a59a9 6044428 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435.orig.tar.xz
 cede967a1d974e0c8385c122913d58b0 123044 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1.debian.tar.xz
 92c686f5974f2b5ca1bfbe97bd89ec8d 24996 comm optional 
asterisk_22.5.1~dfsg+~cs6.15.60671435-1_amd64.buildinfo


-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJojyrTCRAsfDFGwaABIUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfH15p03Nt1LvN+4o1zVVjkw3ZrGY8AphsWR/bZc5Br
FxYhBJ/j6cNmkaaf9TzGhCx8MUbBoAEhAACDaA/+KPDGAMizp/3cSBXrv3MAPgGj
qULeK53C0wfYBl6mF0KUimSB4YwbenfUPc6Ww4z8ai5lRbq+4Kf7W9TOwQOH4vum
CVLIzTckWU7QqrROTlVg968Kd93JP3y6XKNH5Bv/frZFfan9mVQ5QSYle4hiLZhp
yX9wxV5Bf3Xi5JuVgqXbMq48GAvKRi+K+uCAGUW2m7IsM3mSiwwoY9K3jl4cZ1/y
0m/e+iBw4hKtW8elijp++aVrwsNXVkZbVM4crsOqvhPoUbKHak51pBDPfei8uCbp
iRGAMD5Vn3yBB6JEjN72YFqkDkwguniMUR6kZ4cv26B02QxgYvs3i1XpfG6d4hwb
RBGQ1Bdql9jG1ActnOrQHWmQWdwXujnls4H4JbDmllqJCD/Blm/emeql3Mow38qc
baQT26JCG5FCGzy/zut9rN4QyGr103ocpVmGA0tfop3Y/8PvHUWoaLybgxJX9AhE
Fousvr9m0PuA5qrgsvpEJoFIWtrbloxO7S9GDZ5KN8mMGO+W5loOqJg/vIP0TfnR
N93XCvolOTCxziqmLnm9W8kWbfGAtXyntrV4PU4v3eD8Qxy99QxyXKuQbk8g+gnU
ZW4/z/4vKwBC9zFsyjKLZ2Um76VwjbvzvB4mkmGAhQAHXO/2+l+MFSvD9V3rmklT
u90brsqyGEQbnm/nc8c=
=AXWl
-----END PGP SIGNATURE-----

Attachment: pgpSWNXY5k8sS.pgp
Description: PGP signature


--- End Message ---

Reply via email to