From 544aceb34f061af5371994e9e0701e0231d4409f Mon Sep 17 00:00:00 2001 From: Asterisk Development Team Date: Thu, 31 Jul 2025 16:30:17 +0000 Subject: [PATCH] Update for 18.26.3 --- .version | 2 +- CHANGES.html | 2 +- CHANGES.md | 2 +- ChangeLogs/ChangeLog-18.26.3.html | 78 ++++++++++++++++++++++++++++ ChangeLogs/ChangeLog-18.26.3.md | 86 +++++++++++++++++++++++++++++++ README.html | 2 +- 6 files changed, 168 insertions(+), 4 deletions(-) create mode 100644 ChangeLogs/ChangeLog-18.26.3.html create mode 100644 ChangeLogs/ChangeLog-18.26.3.md diff --git a/.version b/.version index e3154eb566..454db0eedc 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -18.26.2 +18.26.3 diff --git a/CHANGES.html b/CHANGES.html index 23539d495e..1496c8c925 120000 --- a/CHANGES.html +++ b/CHANGES.html @@ -1 +1 @@ -ChangeLogs/ChangeLog-18.26.2.html \ No newline at end of file +ChangeLogs/ChangeLog-18.26.3.html \ No newline at end of file diff --git a/CHANGES.md b/CHANGES.md index 35aabbf103..98ffdaea4d 120000 --- a/CHANGES.md +++ b/CHANGES.md @@ -1 +1 @@ -ChangeLogs/ChangeLog-18.26.2.md \ No newline at end of file +ChangeLogs/ChangeLog-18.26.3.md \ No newline at end of file diff --git a/ChangeLogs/ChangeLog-18.26.3.html b/ChangeLogs/ChangeLog-18.26.3.html new file mode 100644 index 0000000000..d43fe0901e --- /dev/null +++ b/ChangeLogs/ChangeLog-18.26.3.html @@ -0,0 +1,78 @@ +ChangeLog for asterisk-18.26.3 +

Change Log for Release asterisk-18.26.3

Summary:

Commits: 2
Commit Authors: 2
Issues Resolved: 0
Security Advisories Resolved: 2
GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

User Notes:

Upgrade Notes:

+
safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+ The safe_asterisk script now checks that, if it was run by the + root user, the /etc/asterisk/startup.d directory and all the files it contains + are owned by root. If the checks fail, safe_asterisk will exit with an error + and Asterisk will not be started. Additionally, the default logging + destination is now stderr instead of tty "9" which probably won't exist + in modern systems.

Developer Notes:

Commit Authors:

George Joseph: (1)
ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

!GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
!GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

Commits By Author:

+
George Joseph (1):
+
+
res_stir_shaken: Test for missing semicolon in Identity header.
+
+
ThatTotallyRealMyth (1):
+
safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit List:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
res_stir_shaken: Test for missing semicolon in Identity header.

Commit Details:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Author: ThatTotallyRealMyth + Date: 2025-06-10

UpgradeNote: The safe_asterisk script now checks that, if it was run by the + root user, the /etc/asterisk/startup.d directory and all the files it contains + are owned by root. If the checks fail, safe_asterisk will exit with an error + and Asterisk will not be started. Additionally, the default logging + destination is now stderr instead of tty "9" which probably won't exist + in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

res_stir_shaken: Test for missing semicolon in Identity header.

Author: George Joseph + Date: 2025-07-31

ast_stir_shaken_vs_verify() now makes sure there's a semicolon in + the Identity header to prevent a possible segfault.

Resolves: #GHSA-mrq5-74j5-f5cr

+ diff --git a/ChangeLogs/ChangeLog-18.26.3.md b/ChangeLogs/ChangeLog-18.26.3.md new file mode 100644 index 0000000000..3c8056034b --- /dev/null +++ b/ChangeLogs/ChangeLog-18.26.3.md @@ -0,0 +1,86 @@ + +## Change Log for Release asterisk-18.26.3 + +### Links: + + - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.26.3.html) + - [GitHub Diff](https://github.com/asterisk/asterisk/compare/18.26.2...18.26.3) + - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-18.26.3.tar.gz) + - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) + +### Summary: + +- Commits: 2 +- Commit Authors: 2 +- Issues Resolved: 0 +- Security Advisories Resolved: 2 + - [GHSA-mrq5-74j5-f5cr](https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr): Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c + - [GHSA-v9q8-9j8m-5xwp](https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp): Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation. + +### User Notes: + + +### Upgrade Notes: + +- #### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files. + The safe_asterisk script now checks that, if it was run by the + root user, the /etc/asterisk/startup.d directory and all the files it contains + are owned by root. If the checks fail, safe_asterisk will exit with an error + and Asterisk will not be started. Additionally, the default logging + destination is now stderr instead of tty "9" which probably won't exist + in modern systems. + + +### Developer Notes: + + +### Commit Authors: + +- George Joseph: (1) +- ThatTotallyRealMyth: (1) + +## Issue and Commit Detail: + +### Closed Issues: + + - !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c + - !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation. + +### Commits By Author: + +- #### George Joseph (1): + - res_stir_shaken: Test for missing semicolon in Identity header. + +- #### ThatTotallyRealMyth (1): + - safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files. + + +### Commit List: + +- safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files. +- res_stir_shaken: Test for missing semicolon in Identity header. + +### Commit Details: + +#### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files. + Author: ThatTotallyRealMyth + Date: 2025-06-10 + + UpgradeNote: The safe_asterisk script now checks that, if it was run by the + root user, the /etc/asterisk/startup.d directory and all the files it contains + are owned by root. If the checks fail, safe_asterisk will exit with an error + and Asterisk will not be started. Additionally, the default logging + destination is now stderr instead of tty "9" which probably won't exist + in modern systems. + + Resolves: #GHSA-v9q8-9j8m-5xwp + +#### res_stir_shaken: Test for missing semicolon in Identity header. + Author: George Joseph + Date: 2025-07-31 + + ast_stir_shaken_vs_verify() now makes sure there's a semicolon in + the Identity header to prevent a possible segfault. + + Resolves: #GHSA-mrq5-74j5-f5cr + diff --git a/README.html b/README.html index 482f264bf3..6cbfeec8ea 100644 --- a/README.html +++ b/README.html @@ -1,4 +1,4 @@ -Readme for asterisk-18.26.2 +Readme for asterisk-18.26.3

The Asterisk(R) Open Source PBX

        By Mark Spencer <markster@digium.com> and the Asterisk.org developer community.
         Copyright (C) 2001-2021 Sangoma Technologies Corporation and other copyright holders.
-- 
2.47.2