Source: asterisk
Version: 1:22.3.0~dfsg+~cs6.15.60671435-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc:
carnil@debian.org, Debian Security Team <
team@security.debian.org>
Hi,
The following vulnerability was published for asterisk.
CVE-2025-47779[0]:
| Asterisk is an open-source private branch exchange (PBX). Prior to
| versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and
| versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP
| requests of the type MESSAGE (RFC 3428) authentication do not get
| proper alignment. An authenticated attacker can spoof any user
| identity to send spam messages to the user with their authorization
| token. Abuse of this security issue allows authenticated attackers
| to send fake chat messages can be spoofed to appear to come from
| trusted entities. Even administrators who follow Security best
| practices and Security Considerations can be impacted. Therefore,
| abuse can lead to spam and enable social engineering, phishing and
| similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of
| Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-
| asterisk fix the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-47779
https://www.cve.org/CVERecord?id=CVE-2025-47779
[1]
https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw
[2]
https://github.com/asterisk/asterisk/commit/3d117fbb39cf192b67dfafd38acb64e0e5b31f3a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)