1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1106530: asterisk: CVE-2025-47780

    From Salvatore Bonaccorso@21:1/5 to All on Sun May 25 16:30:01 2025
    Source: asterisk
    Version: 1:22.3.0~dfsg+~cs6.15.60671435-1
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for asterisk.

    CVE-2025-47780[0]:
    | Asterisk is an open-source private branch exchange (PBX). Prior to
    | versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and
    | versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to
    | disallow shell commands to be run via the Asterisk command line
    | interface (CLI) by configuring `cli_permissions.conf` (e.g. with the
    | config line `deny=!*`) does not work which could lead to a security
    | risk. If an administrator running an Asterisk instance relies on the
    | `cli_permissions.conf` file to work and expects it to deny all
    | attempts to execute shell commands, then this could lead to a
    | security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and
    | 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of
    | certified-asterisk fix the issue.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-47780
    https://www.cve.org/CVERecord?id=CVE-2025-47780
    [1] https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
    [2] https://github.com/asterisk/asterisk/commit/9bcdef268432e7591142b1b8de38b2e7871566a5

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue May 27 15:10:01 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 27 May 2025 13:04:50 +0000
    with message-id <E1uJtz8-00DcNS-Nd@fasolo.debian.org>
    and subject line Bug#1106530: fixed in asterisk 1:22.4.1~dfsg+~cs6.15.60671435-1
    has caused the Debian Bug report #1106530,
    regarding asterisk: CVE-2025-47780
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1106530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106530
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 25 May 2025 14:27:05 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
    (2024-03-25) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-10.9 required=4.0 tests=BAYES_00,FOURLA,
    FROMDEVELOPER,HELO_LH_HOME,KHOP_HELO_FCRDNS,MD5_SHA1_SUM,
    RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
    RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 150; neutral, 64; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
    0.000-+--H*M:reportbug
    Return-path: <carnil@debian.org>
    Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:39748 helo=eldama