Review: Platform Decay, by Martha Wells

Platform Decay is the eighth book in the Murderbot science fiction series. You absolutely should not start here, but you also don't need to remember the specifics of the previous books.

As the story opens, Murderbot and a friend (the identity of whom is a spoiler for previous books) are infiltrating a Corporation Rim torus, a massive space station that encircles a mined-out planet. (Like most science fiction megastructures, this is more space than the plot really requires.) Murderbot's mission is to exfiltrate some of Dr. Mensah's family members who have become entangled in corporate shenanigans. The corporates are eager to get revenge for the events of System Collapse, not to mention the other times Preservation Station has upended corporate plans. Murderbot's job is to stop them.

The group, in addition to one of Dr. Mensah's partners, includes an older woman and a young child. Murderbot is analytical and of course not at all emotional about children, which is reliably a good time. Also, the older woman is gruff, stubborn, and thoroughly enjoyable.

There are, of course, complications that lead to picking up more children and going through rather more of the torus than Murderbot wanted to explore. Each section of the torus is run by a different corporation and has a different constructed environment and visual aesthetic, so there are a lot of opportunities for fights, daring escapes, and incidental trouble.

Also, well:

So I had installed a mental health module. I know, I was surprised I did it too.

After the events of System Collapse, University Medical decided that Murderbot needed a bit more metal health support.

The only reason I agreed to it was that the mental health module didn't actually try to adjust my processing or core programming or anything; it just monitored my organic neural tissue. When my neural tissue started to generate weird chemicals and whatever, it would ping me to "check in with my emotional state." Seriously, I could have coded that myself.

(I told Dr. Bharadwaj that, and she said, "Would you have ever coded that yourself?" which was totally unfair and also correct. I would never have done that.)

Speaking as someone whose neural tissue sometimes generates weird chemicals and whatever, I sympathize.

The specific form this module takes is periodic "emotion check" parentheticals throughout the narration, which I found utterly delightful.

I ran that through risk assessment and it produced the equivalent of a shrug.

(Emotion check: Shrug sigil right back at you, you piece of shit.)

This is otherwise an extended action movie sort of a book, much like several of the early novellas. There are no major political or interpersonal developments here and the usual cast (apart from Murderbot) is mostly absent. Instead, we get an extended, dangerous journey through a corporation-controlled habitat, mixed with Murderbot trying to interact with humans in a way that minimizes its annoyance while being hopefully reassuring. It's competence porn with awkward but surprisingly heartfelt emotional bonding, not that Murderbot in any way wants to bond or would appreciate that description.

I doubt this will be anyone's favorite entry into the series since there are none of the big reveals or major leaps of character development there have been in the past few books. But, like all Murderbot books, the narrative tone is wonderful and all of the small asides and little moments of character interaction are an utter delight. If you've gotten this far in the series, you know what I mean and you'll be as happy to read more of it as I was. There is a part of me that is hoping for some major plot development, and I always want to see more of ART (who has no significant role in this book), but Wells has the narrative style down so perfectly that I would read and enjoy a book about Murderbot doing just about anything.

If you're this far in the series, you probably don't need a review, and since this is an action-heavy adventure rather than a character growth novel, I don't have a lot more to add. There's a new short Murderbot novel out and you want to read it. Recommended to everyone who enjoys the series.

Rating: 8 out of 10

The Stable channel has been updated to 149.0.7827.200/201 for Windows and Mac and 149.0.7827.200 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 3 security fixes. Please see the Chrome Security Pagefor more information.

[N/A][513138301] High CVE-2026-13281: Integer overflow in Mojo. Reported by Google on 2026-05-14

[N/A][517522620] High CVE-2026-13282: Use after free in Payments. Reported by Google on 2026-05-28

[N/A][522561151] High CVE-2026-13283: Use after free in AdFilter. Reported by Google on 2026-06-11

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Even though the 1.60 update for both Euro Truck Simulator 2 and American Truck Simulator was released just last week, we are already working on features for future updates. And since we want to gather as much feedback from our #BestCommunityEver, we are starting an experimental beta way in advance of the actual update release, with focus on two upcoming features - the Multi-Function Display and In-Game Menu. To make sure we get it right, we need your help!

As mentioned above, this time, we are starting the beta cycle from an early stage. The level of polish and stability in this release might not yet be on the same level as with our typical Open Betas. However, we recognize the importance of involving our community in the development process and need to gather feedback early to help us identify any imperfections.

With the Experimental Beta, we would like to invite our dedicated players to join us in fine-tuning, testing, and providing feedback on the upcoming Multi-Function Display and In-Game Menu features for both games. We appreciate all of your feedback on our forum and your bug reports in the dedicated section for ATS and ETS2.

Multi-Function Display

The MFD has been part of our vision to improve the overall in-game driving interface and accessibility of vehicle systems. Our goal is to create a more unified and intuitive way to access vehicle functions directly in-game, without the need to interrupt your experience or remember dozens of keybinds.

The MFD is an in-game interface accessible from both interior and exterior camera views. From there, you can quickly navigate through various categories and vehicle systems such as driving assists, lighting controls, vehicle adjustments, media functions, trip information, and more.

One of the main goals of this feature is to reduce interruptions while accessing vehicle systems and information. In most situations, opening the MFD will not pause gameplay, and vehicle controls will remain responsive during interaction.

Another key goal of this feature is discoverability. Over the years, ETS2 and ATS have accumulated many functions and controls that players may never encounter. The MFD helps make these features easier to find by presenting them in context and displaying their associated key binds directly within the menu.

The MFD is designed to support keyboard, mouse, wheel, and controller (both on PC and consoles in the future) users alike, with customisable navigation controls. You can read more about this feature here.

Please note that for the purposes of MFD in Experimental Beta, the controllers will only support In-Game Mapping Mode (which is the recommended default). The support for Steam Client Input Mode will be added only for the full release.

In-Game Menu

The In-Game Menu is a new quick-access overlay presented as a compact horizontal bar at the top of the screen, providing players with instant access to essential functions.

In the new design, the In-Game Menu, accessible via F1, includes two roles: it provides access to functions exclusive to it, while retaining quick access to selected functions that were previously available through F4 and F7. In-Game menu now consolidates what was previously spread across F1, F4, and F7, providing more immediate access to important system and gameplay functions.

From this bar, players can quickly access controls, photo mode, widget options, services, vehicle adjustments, and the quick info menu.

In single-player mode, opening the In-Game Menu will pause the game. For now, the In-Game Menu will not be accessible while driving in the convoy, but we are exploring ways in which players can use some of the menu's functions while driving in multiplayer.

Don't forget that both of these features are still in a work-in-progress phase and are undergoing internal and external testing and adjustments, so your feedback is crucial in helping us polish them before the final release.

We hope you'll enjoy these new additions, but please remember: It's only an experimental beta, not an open beta yet or even a stable public version, so you may encounter bugs, instability, or crashes - which is where we need your input the most to solve any of these issues. The new features for both games will also be available only in English, so it's completely okay if you want to wait for the open beta or the final release. But if you're interested in helping us get there faster, we'll appreciate all of your feedback on our forum.

If you wish to participate in this Experimental Beta, you can find this version in the Experimental Beta branch on Steam. The way to access it is as follows: Steam client → LIBRARY → right-click on Euro Truck Simulator 2 or American Truck Simulator → Properties → Betas tab → Beta Participation drop-down menu → experimental_beta. No password is required. Sometimes you will have to restart your Steam client to see the correct branch name there.

Thank you for your ongoing dedication and feedback. We believe the Experimental Beta will be a valuable stepping stone towards Open Beta and the 1.61 version. Don't forget to stay connected with us and all the latest information through our social media channels, make sure to follow us on X/Twitter, Instagram, Facebook, Bluesky, and TikTok. Happy trucking!

The Asterisk Development Team would like to announce security release
Asterisk 23.4.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.4.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.4.1

Change Log for Release asterisk-23.4.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 19
• Commit Authors: 6
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Mike Bradeen: (3)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Mike Bradeen (3):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

The Asterisk Development Team would like to announce security release
Asterisk 22.10.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.10.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.10.1

Change Log for Release asterisk-22.10.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 19
• Commit Authors: 6
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Mike Bradeen: (3)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Mike Bradeen (3):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

The Asterisk Development Team would like to announce security release
Asterisk 21.12.3.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.3
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.3

Change Log for Release asterisk-21.12.3

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 21
• Commit Authors: 7
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

• acl: Add ACL support to http and ari

  A new section, type=restriction has been added to http.conf
  to allow an uri prefix based acl to be configured. See
  http.conf.sample for examples and more information.
  The user section of ari.conf can now contain an acl configuration
  to restrict users access. See ari.conf.sample for examples and more
  information

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Joshua C. Colp: (1)
• Mike Bradeen: (4)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Joshua C. Colp (1):

  • build: Fix GCC discarded-qualifiers const errors.

• Mike Bradeen (4):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging
  • acl: Add ACL support to http and ari

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow
• acl: Add ACL support to http and ari
• build: Fix GCC discarded-qualifiers const errors.

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

acl: Add ACL support to http and ari

Author: Mike Bradeen
Date: 2026-02-27

Add uri prefix based acl support to the built in http server.
This allows an acl to be added per uri prefix (ie '/metrics'
or '/ws') to restrict access.

Add user based acl support for ARI. This adds new acl options
to the user section of ari.conf to restrict access on a per
user basis.

resolves: #1799

UserNote: A new section, type=restriction has been added to http.conf
to allow an uri prefix based acl to be configured. See
http.conf.sample for examples and more information.
The user section of ari.conf can now contain an acl configuration
to restrict users access. See ari.conf.sample for examples and more
information

build: Fix GCC discarded-qualifiers const errors.

Author: Joshua C. Colp
Date: 2026-02-12

GCC 15.2.1 pays attention to the discarding of the const
qualifier when strchr, strrchr, memchr, or memrchr are now
used. This change fixes numerous errors with this throughout
the tree. The fixes can be broken down into the following:

1. The return value should be considered const.
2. The value passed to strchr or strrchr can be cast as it is
   expected and allowed to be modified.
3. The pointer passed to strchr or strrchr is not meant to be
   modified and so the contents must be duplicated.
4. It was declared const and never should have been.

The Asterisk Development Team would like to announce security release
Asterisk 20.20.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.20.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.20.1

Change Log for Release asterisk-20.20.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 18
• Commit Authors: 6
• Issues Resolved: 0
• Security Advisories Resolved: 19
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Mike Bradeen: (2)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Mike Bradeen (2):

  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

The Asterisk Development Team would like to announce security release
Certified Asterisk 22.8-cert3.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert3
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert3

Change Log for Release asterisk-certified-22.8-cert3

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 21
• Commit Authors: 7
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

• acl: Add ACL support to http and ari

  A new section, type=restriction has been added to http.conf
  to allow an uri prefix based acl to be configured. See
  http.conf.sample for examples and more information.
  The user section of ari.conf can now contain an acl configuration
  to restrict users access. See ari.conf.sample for examples and more
  information

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Joshua C. Colp: (1)
• Mike Bradeen: (4)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Joshua C. Colp (1):

  • build: Fix GCC discarded-qualifiers const errors.

• Mike Bradeen (4):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging
  • acl: Add ACL support to http and ari

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow
• acl: Add ACL support to http and ari
• build: Fix GCC discarded-qualifiers const errors.

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

acl: Add ACL support to http and ari

Author: Mike Bradeen
Date: 2026-02-27

Add uri prefix based acl support to the built in http server.
This allows an acl to be added per uri prefix (ie '/metrics'
or '/ws') to restrict access.

Add user based acl support for ARI. This adds new acl options
to the user section of ari.conf to restrict access on a per
user basis.

resolves: #1799

UserNote: A new section, type=restriction has been added to http.conf
to allow an uri prefix based acl to be configured. See
http.conf.sample for examples and more information.
The user section of ari.conf can now contain an acl configuration
to restrict users access. See ari.conf.sample for examples and more
information

build: Fix GCC discarded-qualifiers const errors.

Author: Joshua C. Colp
Date: 2026-02-12

GCC 15.2.1 pays attention to the discarding of the const
qualifier when strchr, strrchr, memchr, or memrchr are now
used. This change fixes numerous errors with this throughout
the tree. The fixes can be broken down into the following:

1. The return value should be considered const.
2. The value passed to strchr or strrchr can be cast as it is
   expected and allowed to be modified.
3. The pointer passed to strchr or strrchr is not meant to be
   modified and so the contents must be duplicated.
4. It was declared const and never should have been.

The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert11.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert11
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert11

Change Log for Release asterisk-certified-20.7-cert11

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 18
• Commit Authors: 7
• Issues Resolved: 0
• Security Advisories Resolved: 18
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (5)
• Joshua C. Colp: (1)
• Mike Bradeen: (2)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (5):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Joshua C. Colp (1):

  • build: Fix GCC discarded-qualifiers const errors.

• Mike Bradeen (2):

  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow
• build: Fix GCC discarded-qualifiers const errors.

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

build: Fix GCC discarded-qualifiers const errors.

Author: Joshua C. Colp
Date: 2026-02-12

GCC 15.2.1 pays attention to the discarding of the const
qualifier when strchr, strrchr, memchr, or memrchr are now
used. This change fixes numerous errors with this throughout
the tree. The fixes can be broken down into the following:

1. The return value should be considered const.
2. The value passed to strchr or strrchr can be cast as it is
   expected and allowed to be modified.
3. The pointer passed to strchr or strrchr is not meant to be
   modified and so the contents must be duplicated.
4. It was declared const and never should have been.

Changelog

1. Fix the boot issue with old UEFI version firmware when secure boot is disabled.
2. Fix the latest Kicksecure boot issue. (#3651)
3. Fix the issue that VTOY_WIN_UEFI_RES_LOCK option reset when enter VentoyPlugson.
4. Languages update.

Attention
Ventoy use a new UEFI secure boot CA since v1.1.14, so you need to enroll the new key for the first boot time.
If you want to delete the key used in old release, please refer:
https://www.ventoy.net/en/doc_delete_key.html

================================================================
Wana boot and install OS through network (PXE)? Welcome to my new project iVentoy.

About iVentoy https://www.iventoy.com/
iVentoy is an enhanced version of the PXE server.
Extremely easy to use
Many advanced features
x86 Legacy BIOS, IA32 UEFI, x86_64 UEFI and ARM64 UEFI mode supported
110+ common types of OS supported (Windows/WinPE/Linux/VMware)
Turn any PC, laptop, server, NAS, or Raspberry Pi into a PXE server instantly!
......

SHA-256

a9ffd7bd5e26df486cafff924b8dbcb6caae20cbe2b179a009fe59ae740c7572  ventoy-1.1.16-linux.tar.gz
6bf8e53de52289b8281705610a6a2c47c731e285ce28cfd18efa1b00b45ca535  ventoy-1.1.16-livecd.iso
7db5b3a1e23af39d0a648843c263eb5cf51493ccbf2a38c6a4315db80a4f9b58  ventoy-1.1.16-windows.zip

[0.16.11] - 2026-06-25

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Encryption-at-rest: Support for AES-256-GCM and ChaCha20-Poly1305 for S/MIME (#161).
• S3: Support for allowInvalidCerts option to allow connecting to S3 endpoints with invalid TLS certificates.
• Redis Sentinel support as an in-memory store and cluster coordinator backend (#2430).

Changed

Fixed

• DANE: Verify DNSSEC is supported by the resolver before attempting to validate TLSA records.
• TLS: Update search index when file-backed certificates are refreshed.
• JMAP: Principal/query returns broad results when a name or email filter cannot be resolved.
• Webhooks: event IDs collide for same event type emitted in the same second.

Check binary attestation here

VIENNA, Austria – June 25, 2026 – Enterprise software developer Proxmox Server Solutions today announced that Zabbix LLC has joined the Proxmox partner ecosystem as an official Solution Provider. Through its official API-based integration, Zabbix 7.4 provides comprehensive monitoring and observability for organizations running mission-critical workloads on Proxmox Virtual Environment.
Zabbix monitors clusters, nodes, virtual machines, LXC containers, storage resources, mount points, and network interfaces. Automated problem detection and flexible alerting capabilities help administrators identify issues early and respond proactively to performance and availability risks.

Together, Proxmox VE and Zabbix support efficient day-to-day operations and reliable service delivery across a wide range of deployment scales.

"We're glad to offer Proxmox users deeper visibility into their virtualized environments. Our goal was to provide an at-a-glance view of infrastructure health and performance, combined with customizable alert thresholds to help teams detect issues early and maintain reliable operations”, said Marina Generalova, Integrations Delivery Manager of Zabbix

More Information

###

About Zabbix LLC
Zabbix 7.4 is an enterprise-class, open source distributed monitoring and observability solution designed to track the performance and availability of IT resources. Zabbix also provides commercial services such as technical support, integration, implementation, and customized development services as well as professional training and Zabbix Academy courses. The company’s newest solution, Zabbix Cloud, offers the entire range of Zabbix features with easier deployment and management, enhanced scalability, and automatic upgrades.
Learn more: https://www.zabbix.com

About Proxmox Server Solutions
Proxmox Server Solutions provides powerful, intuitive open-source server software that guarantees vendor independence and minimizes total cost of ownership. Enterprises of all sizes rely on the company’s reliable vendor support, certified training services, and a global network of 3,000 integration partners to ensure business continuity. Established in 2005 and headquartered in Vienna, Austria, tens of thousands of corporate customers worldwide trust Proxmox solutions to secure their mission-critical IT environments. To learn more visit https://www.proxmox.com or follow us on LinkedIn and YouTube.

Contact: Daniela Häsler, Proxmox Server Solutions GmbH, press@proxmox.com

Changelog

1. Fix the boot issue when Secure Boot is disabled in the UEFI firmware. (#3650)

Attention
Ventoy use a new UEFI secure boot CA since v1.1.14, so you need to enroll the new key for the first boot time.
If you want to delete the key used in old release, please refer:
https://www.ventoy.net/en/doc_delete_key.html

================================================================
Wana boot and install OS through network (PXE)? Welcome to my new project iVentoy.

About iVentoy https://www.iventoy.com/
iVentoy is an enhanced version of the PXE server.
Extremely easy to use
Many advanced features
x86 Legacy BIOS, IA32 UEFI, x86_64 UEFI and ARM64 UEFI mode supported
110+ common types of OS supported (Windows/WinPE/Linux/VMware)
Turn any PC, laptop, server, NAS, or Raspberry Pi into a PXE server instantly!
......

SHA-256

dfed601b689fa4f552bc4c44dc0a45ef893226630fb11f43ca3ab618ff429279  ventoy-1.1.15-linux.tar.gz
280cf28305126c6ea73c4be79ea949dc96998d7e7acc31bb8f02ff3eb947620c  ventoy-1.1.15-livecd.iso
d5af29281ba8b57d7c398f452d31a5d031f6dcb460bdb0a67b2115dfef372b76  ventoy-1.1.15-windows.zip

You can download it from GitHub.

The highlights of this version are expanded compatibility and capabilities for OpenFX plugins and a new audio noise reduction filter and link.

Framework

• Some fixes for win32_fopen().
• Security fixes for time formatting in mlt_properties.
• Security fix to disable deprecated ante & post properties in mlc_consumer.
• Added more properties to metaschema.yaml (new version 7.2):
  • audio_formats
  • video_formats
  • layout-hint
  • hide-label
  • normalized_default

Modules

• Added audio_formats and image_formats properties to all service metadata.
• Many improvements to the openfx module:
  • fixed potential overflows in snprintf() calls
  • multi-threading: frame- and slice-based
  • many compatibility fixes
  • added support for 2D and 3D numeric parameters (uses mlt_rect)
  • fixed preview scaling
  • fixed the default for choice (values in metaschema.yaml) parameters
  • fixed some effects rendering upside-down.
• Added rnnoise module for background audio noise reduction (depends on librnnoise).
• Added HDR10 SMPTE ST 2084 (PQ) properties to the decklink consumer:
  • hdr_red_x
  • hdr_red_y
  • hdr_green_x
  • hdr_green_y
  • hdr_blue_x
  • hdr_blue_y
  • hdr_white_x
  • hdr_white_y
  • hdr_max_luminance
  • hdr_min_luminance
  • hdr_max_cll
  • hdr_max_fall
• Added the .lot file name extension for the loader producer to use glaxnimate.
• Visual quality improvements for animations in the qtblend filter and transition.
• Updated spatialaudio module to the libspatialaudio 0.4.0 API.
• Fixed a signed int overflow in pgm producer.
• MSVC compatibility fixes for kdenlivetitle producer and frei0r, plusgpl, jackrack, openfx, rtaudio, & resample modules.
• Fixed choppy playback and deadlocks in the decklink consumer.
• Fixed libopus audio encoder warning about frame_duration in avformat consumer.
• Fixed crash in avformat consumer with unsupported attached_pic format.
• Fixed plugin bundles for vst2 filters on macOS.
• Fixed the frame position in the consumer producer.
• Hardened string formatting for metadata properties in the vorbis producer.
• Fixed typewriter in qtext filter lags when rate properties changed.

Other

• Skip Qt preflight for XML-only consumers in melt.

The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.

1.7.5 (2026-06-24)

Thank you for your donations:

• You? Become a sponsor!

One-time

• Anonymous

Monthly

• @pauladams8
• @djpriest
• @umakers
• @zplizzi
• @jeremiah
• @Theoretisch1337
• @svandive
• @HiltMundell

Features

• Mail: Cross-account "All accounts" views with full group/shared-account support
• Mail: Per-account "All Mail" folder selection
• Mail: "Download all" button to bundle attachments into a zip (#466)
• Mail: Return to the list after deleting or marking the open message unread — configurable (default on)
• Mail: Collapse-all-threads action in thread-list selection
• Calendar: Option to disable the calendar
• Composer: Send-now button on scheduled/delayed messages
• Composer: Email a contact or group via the in-app composer
• Composer: Split a pasted address list into recipient chips
• Contacts: "New address book" creation UI (#415)
• OAuth: OAUTH_AUTHORIZE_URL to override the authorize endpoint
• i18n: Farsi (fa) locale — complete (2654 strings)
• i18n: Romanian (ro) locale

Fixes

• Composer: Keep HTML signature styling in the editor and on send
• Composer: Guard Send against double-submit
• Composer: Strip display names from the EmailSubmission envelope addresses
• Calendar: Disable iMIP scheduling on calendar import (#411)
• Mail: Localize special-folder names by JMAP role (#404)
• Mail: Block remaining email tracking vectors (#457)
• Mail: Route counter and unread updates to the email's own account in aggregate views
• Mail: Fix blank space in plain-text emails
• Mail: Fix toolbar re-render when opening emails
• Mail: Truncate long subjects so they don't overlap the timestamp
• Mail: Strip reply/forward prefixes followed by a full-width colon
• Mail: Add breathing room between the unread dot and the avatar
• Mail: Isolate per-account state snapshots from leakage and mutation
• Mail: Cap filename tokens at the full 200-char limit
• Spam: Fetch mailboxes with accountId in markAsSpam
• Filters: Load mailboxes when opened directly (#485)
• Settings: Surface server errors on password change and TOTP toggle
• Send now: Gate the toolbar label and translate send_now across locales
• Directory: Fix fetching display names
• Push: Reap only relay-confirmed-dead leftover subscriptions
• i18n: Add the missing fa locale to the client IntlProvider messages map
• i18n: Add missing translation keys across 19 locales

Today, we are excited to share with you a look at one of Ireland’s most scenic driving experiences coming to the upcoming Isle of Ireland DLC for Euro Truck Simulator 2. Introducing the iconic N59 and the famous Connemara Loop, a route that'll take you past some of the most breathtaking landscapes, remote countrysides, and natural landmarks.

The N59 is the longest national secondary road in Ireland, stretching over 290 kilometres between Sligo and Galway, this scenic route takes drivers through winding roads, quiet villages, rolling hills, lakes, and dramatic Atlantic landscapes. Along the way, players will experience the unique atmosphere that makes Ireland’s west coast so popular with travellers from around the world, which our talented teams have been recreating in detail. 

On your journey along the N59, drivers will be able to travel on the renowned Connemara Loop, where roads weave between mountains, lakes and open countryside. Some of you with a sharp eye may already recognize the picturesque Pine Island area along Derryclare Lough, which was one of the locations we shared in our “Ireland: Guess Where We Are” blog.

Further along the route, players will encounter one of Ireland’s most iconic landmarks, Kylemore Abbey. Nestled beside the lake and backed by dramatic mountain scenery, this historic estate is being recreated with great care by our map and asset teams.

Continuing north, you'll be able to view Killary Harbour, Ireland’s only fjord. Carved deep into the surrounding mountains, this spectacular natural formation is well worth a stop to admire its beauty. As you travel along the N59, you'll also be treated to views of Croagh Patrick, one of Ireland's most iconic mountains, known locally as "The Reek". 

You'll then have the opportunity to discover the charming town of Westport, one of the smallest settlements represented in this DLC. Despite its modest size, our team felt it was an important addition in helping represent the authentic communities found across the Isle of Ireland.

North of Westport, the road ventures through the vast Wild Nephin National Park, known for its remote peat bog landscapes, dark rolling hills, and rugged wilderness. The scenery here takes on a completely different character. Adventurous truckers exploring the surrounding roads may also stumble upon hidden viewpoints overlooking the Atlantic Ocean and spot countless small islands scattered off the coast. 

Nearby Sligo, you'll travel through small settlements, open countryside, and stretches of coastal scenery that showcase the raw beauty of the northwest. Whether you are delivering cargo along winding mountain roads or simply enjoying the scenery from your cab, the N59 and Connemara Loop is a route you cannot miss!

Tá an tOileán Smaragaide ag glaoch! The Emerald Isle is calling! If you're excited to discover, explore, and travel across the Isle of Ireland, be sure to add this upcoming map expansion to your Steam Wishlist! We sincerely thank everyone who has supported us so far by doing so. We look forward to sharing more from this upcoming DLC in the future. Until then, keep on truckin’!

Changelog

1. Update secure boot shim file to solve the UEFI CA 2023 issue.
   The new release use a new CA, so you need to enroll the new key for the first boot time.
2. VentoyPlugson update synchronously.
3. Global control plugin add a VTOY_SECURE_BOOT_POLICY option. Notes

================================================================
Wana boot and install OS through network (PXE)? Welcome to my new project iVentoy.

About iVentoy https://www.iventoy.com/
iVentoy is an enhanced version of the PXE server.
Extremely easy to use
Many advanced features
x86 Legacy BIOS, IA32 UEFI, x86_64 UEFI and ARM64 UEFI mode supported
110+ common types of OS supported (Windows/WinPE/Linux/VMware)
Turn any PC, laptop, server, NAS, or Raspberry Pi into a PXE server instantly!
......

SHA-256

96add45625f7634726bc64633ddaf93851f183e00beabf556c5ab7f1b080a81a  ventoy-1.1.14-linux.tar.gz
91d6694664e14ff10d73034f6f9c22d1c0a376a0f7889773564c1b7bf948f9c9  ventoy-1.1.14-livecd.iso
3dc0baf85a183bb8fc72b49ea0646d259984c37b6a6dc61ce7087fe8ce187075  ventoy-1.1.14-windows.zip

This release was deprecated due to a mistake

5.49.0 (2026-06-24)

🚀 New feature

• mcp: export defineTool/defineResource/definePrompt builders (#26603)

🔥 Bug fix

• add support for initiallySelectedAssets (#26679)
• homepage dashboard duplicates entries for users with multiple roles (#25860)
• avoid buffering large uploads for MIME detection (#26678)
• throw ValidationError when populate exceeds qs arrayLimit (#25632, #25916)
• push anchor into view to prevent off-screen tooltips (#26303)
• admin: support array of links in StrapiApp.addSettingsLink (#26433)
• admin: admin users logged out mid-session by access-token expiry timer (#26680)
• content-manager: use top-level Core type import in MCP types (#26681)
• content-manager: save draft with Cmd/Ctrl+Enter, publish with Cmd/Ctrl+Shift+Enter (#26621)
• content-manager: reduce MCP relation output to identity-only shape (#26560)
• content-manager: deduplicate MCP tool names when plugin has multiple content types (#26710)
• core/core: mcp misleading lifecycle docs (#26698)
• create-strapi-app: allow pnpm to build better-sqlite3 for SQLite scaffolds (#26675)
• data-transfer: transfer admin menu and auth logos with configuration (#26425)
• database: stop full-schema component_type IN on dynamic zone populate (#26734)
• document-service: preserve published relations from non-dp sources (#26654)
• strapi: default allowedHosts and pin Vite HMR to main server in dev (#26244)
• types: add explicit return types to recursive functions (#26704)

📚 Documentation Changes

• fix spelling typos in content-manager relations guide (#26724)

⚙️ Chore

• removing coderabbit status (#26703)
• core: upgrade package-json to 10.0.1 + rollup interop 'auto' (#26673)
• deps: bump markdown-it from 14.1.1 to 14.2.0 in the richtext-editor-security group across 1 directory (#26688)
• deps: bump dompurify from 3.4.5 to 3.4.9 (#26684)
• deps: bump nodemailer from 8.0.5 to 8.0.9 (#26689)
• deps: bump tar from 7.5.11 to 7.5.16 (#26691)
• deps: bump form-data from 4.0.4 to 4.0.6 (#26692)
• deps: bump anthropics/claude-code-action from 1.0.123 to 1.0.132 (#26727)
• deps: bump piscina from 4.9.2 to 4.9.3 (#26716)
• deps: bump undici from 6.25.0 to 6.27.0 (#26714)
• deps: bump dompurify from 3.4.9 to 3.4.11 (#26719)
• deps-dev: bump @babel/core (#26667)

💅 Enhancement

• upload: add optional replace method to upload providers (#26582)

❤️ Thank You

• akash-dabhi-qed @akash-dabhi-qed
• Andrei L @unrevised6419
• Andrew Bone
• Bassel Kanso @Bassel17
• Ben Irvin
• Giulio Montagner @giu1io
• guoyangzhen
• jasleenkaur-qed42
• Nico André
• Shivam S @BIGSUS24
• Simon Norris @cache-your-dreams
• Travis Swientek @travelton
• Vallabh Mahajan @Vallabh-1504
• Vishal Kumar Singh @singhvishalkr

⚠️ Changes to be aware of

Content Manager keyboard shortcuts

Save a draft with Cmd/Ctrl+Enter (or Cmd/Ctrl+S). Publish with Cmd/Ctrl+Shift+Enter. Since v5.31.3, plain Cmd/Ctrl+Enter published immediately — that shortcut now saves instead. (#26621)

The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for May.

Activity summary

During the month of May, 21 contributors have been paid to work on Debian LTS (links to individual contributor reports are located below).

The team released 56 DLAs fixing 877 CVEs.

May was a much busier month than usual, especially due to the disclosed vulnerabilities on linux regarding Local Privilege Escalation (LPE), that included public proof-of-concept (PoC) exploits. These reports of course impacted Debian as a whole, and the situation warrants a special mention to the Kernel Team, especially Ben Hutching and Salvatore Bonaccorso, who faced the pace and released linux packages on a weekly basis. On the LTS side, the Front Desk team also triaged a significant flow of high severity CVEs.

It is also important to note that Debian 12 (“bookworm”) will be handed over to the LTS Team on June 11th. If you benefit from Debian, especially during the full 5-year lifecycle, please consider subscribing as a sponsor of Debian LTS: https://www.freexian.com/lts/debian/.

Moreover, Debian 11 (“bullseye”) will reach the end of the Debian LTS period on August 31st. After that, Freexian will continue the security support under the Extended LTS offer.

The team published several notable updates:

• As mentioned above, several exploitable LPE vulnerabilities in linux were published during May. Ben released the following DLAs for the Debian LTS versions:
  • DLA 4560-1 for linux (5.10)
  • DLA 4561-1 for linux-6.1
  • DLA 4572-1 for linux (5.10)
  • DLA 4574-1 for linux-6.1
  • DLA 4587-1 for linux (5.10)
  • DLA 4588-1 for linux-6.1
  • DLA 4606-1 for linux (5.10)
  • DLA 4607-1 for linux-6.1
• exim update (DLA-4580-1), prepared by Thorsten, to address a vulnerability that may result in remote code execution.
• gnutls28 update (DLA-4595-1) by Guilhem Moulin, fixes several vulnerabilities that may result in execution of arbitrary code, information leak, authentication bypass, among other impacts.
• krb5 updates released as DLA-4603-1, fixing two vulnerabilities that may yield to a denial of service. Updated prepared by Emmanuel Arias
• lemonldap-ng (DLA-4602-1), released by Abhijith PA, fixing multiple vulnerabilities
• Two imagemagick updates (DLA-4559-1 and DLA-4609-1), prepared by Bastien Roucariès, fixing several vulnerabilities
• openjdk-11 and openjdk-17 updates (DLA-4566-1 and DLA-4565-1), both prepared by Emilio, to fix seven vulnerabilities.
• php7.4 update (DLA-4586-1) to fix six vulnerabilities that could result in remote code execution, information disclosure or denial of service. Update prepared by Guilhem Moulin.
• python3.9 update (DLA-4583-1), prepared by Arnaud Rebillout, addressing multiple vulnerabilities.

Contributions from outside the LTS Team:

We are greatly thankful for the contributions from people outside the LTS Team:

• Colin Watson prepared an OpenSSH update, that was released by Santiago as DLA-4584-1.
• Thomas Goirand handled a keystone update, whose advisory was done by Santiago and released as DLA-4611-1.
• Christopher Obbard kindly prepared a sentry-python update, released as DLA-4612-1.
• Christoph Goehre made two thunderbird updates (DLA-4562-1 and DLA-4582-1). As is customary, Emilio released the advisories.

The LTS Team has also contributed with updates to the latest Debian releases:

• Andreas proposed a firewalld update for bookworm to fix a local issue that may result in bypass control rules.
• Andreas proposed atril updates for trixie and bookworm.
• Arnaud did a python3.11 upload for bookworm.
• Arnaud proposed libarchive updates for trixie and bookworm.
• Arnaud completed the systemd update for bookworm.
• Bastien completed the uploads of gpsd for bookworm. He also did an upload of apache2 for bookworm.
• Emmanuel uploaded updates of libexif for trixie and bookworm
• Jochen Sprickerhof prepared pyjwt update for trixie and bookworm, released as DSA-6259-1.
• Lukas Märdian prepared trixie and bookworm updates for nghttp2, released as DSA-6266-1.
• Markus prepared updates of tomcat11 and tomcat10, released as DSA-6329-1 (for trixie) and DSA-6328-1 (for trixie and bookworm), respectively.
• Continuing the work to replace the unmaintained p7zip fork with 7zip, Sylvain prepared trixie and bookworm updates of 7zip.
• Thorsten completed the uploads of zvbi, taglib and libuev to bookworm and did an upload of libcoap3 for wtrixie.
• Tobi prepared libpng1.6 updates for trixie and bookworm, released as DSA-6263-1.

Moreover, thanks to our partnership with Catalyst, it has been possible to extend the support for Samba 4.17, the version shipped with Debian 12. In May, several vulnerabilities were disclosed, and their patches were prepared by Catalyst. For Debian 12, the update was prepared by the Samba maintainer and released as DSA-6297-1.

Individual Debian LTS contributor reports

• Abhijith PA
• Andreas Henriksson
• Andrej Shadura
• Arnaud Rebillout
• Bastien Roucariès
• Ben Hutchings
• Carlos Henrique Lima Melara
• Chris Lamb
• Daniel Leidert
• Emmanuel Arias
• Emilio Pozuelo Monfort
• Guilhem Moulin
• Jochen Sprickerhof
• Lee Garrett
• Lucas Kanashiro
• Lukas Märdian
• Markus Koschany
• Santiago Ruano Rincón
• Sylvain Beucler
• Thorsten Alteholz
• Tobias Frost

Thanks to our sponsors

Sponsors that joined recently are in bold.

• Platinum sponsors:
  • Toshiba Corporation (for 128 months)
  • Civil Infrastructure Platform (CIP) (for 96 months)
  • VyOS Inc (for 61 months)
• Gold sponsors:
  • F. Hoffmann-La Roche AG (for 139 months)
  • CONET Deutschland GmbH (for 122 months)
  • University of Oxford (for 78 months)
  • EDF SA (for 50 months)
  • Dataport AöR (for 25 months)
  • CERN (for 23 months)
• Silver sponsors:
  • Domeneshop AS (for 143 months)
  • Nantes Métropole (for 137 months)
  • Akamai - Linode (for 133 months)
  • Univention GmbH (for 129 months)
  • Université Jean Monnet de St Etienne (for 129 months)
  • Ribbon Communications, Inc. (for 123 months)
  • Exonet B.V. (for 113 months)
  • Leibniz Rechenzentrum (for 107 months)
  • Ministère de l’Europe et des Affaires Étrangères (for 91 months)
  • Dinahosting SL (for 78 months)
  • Upsun Formerly Platform.sh (for 72 months)
  • Moxa Inc. (for 66 months)
  • sipgate GmbH (for 64 months)
  • OVH US LLC (for 62 months)
  • Tilburg University (for 62 months)
  • GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 53 months)
  • THINline s.r.o. (for 26 months)
  • Copenhagen Airports A/S (for 20 months)
  • Conseil Départemental de l’Isère (for 6 months)
• Bronze sponsors:
  • Seznam.cz, a.s. (for 144 months)
  • Evolix (for 143 months)
  • Linuxhotel GmbH (for 141 months)
  • Intevation GmbH (for 140 months)
  • Daevel SARL (for 139 months)
  • Megaspace Internet Services GmbH (for 138 months)
  • Greenbone AG (for 137 months)
  • NUMLOG (for 137 months)
  • WinGo AG (for 136 months)
  • Entr’ouvert (for 128 months)
  • Adfinis AG (for 125 months)
  • Plat’Home (for 122 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 120 months)
  • Tesorion (for 120 months)
  • Bearstech (for 111 months)
  • LiHAS (for 111 months)
  • Catalyst IT Ltd (for 106 months)
  • Demarcq SAS (for 100 months)
  • Université Grenoble Alpes (for 86 months)
  • TouchWeb SAS (for 78 months)
  • SPiN AG (for 75 months)
  • CoreFiling (for 71 months)
  • Observatoire des Sciences de l’Univers de Grenoble (for 62 months)
  • Tem Innovations GmbH (for 57 months)
  • WordFinder.pro (for 57 months)
  • CNRS DT INSU Résif (for 56 months)
  • Soliton Systems K.K. (for 51 months)
  • Alter Way (for 48 months)
  • SOBIS Software GmbH (for 23 months)
  • Tuxera Inc. (for 15 months)
  • OPM-OP AS (for 6 months)

Wat als alles wat je deze week leuk, belangrijk of de moeite waard vond, gewoon gekocht was? Van de Superbowl-show van Bad Bunny tot Sydney Sweeney en haar “good jeans”, alles wordt geëngineerd door clipping farms en legers fake accounts. Het liefst in twee ruziënde kampen tegelijk, zodat journalisten zich er als useful idiots op storten. Bij Bad Bunny kwam een kwart van alle 3,7 miljoen posts van minder dan vier procent van de accounts. Reken maar uit.

Het ongemakkelijke gevolg: bereik is dus te koop, spotgoedkoop zelfs, en daarmee bijna niks meer waard. FVD speelt het spel al meedogenloos, terwijl de rest nog cringe ministersfilmpjes op LinkedIn zet. En precies daar komt Ernst-Jan, oftewel DutchProBlogger, met zijn vaste advies waar hij al twintig jaar gelijk in heeft: begin nou een nieuwsbrief, begin nou een podcast. Want als content bijna gratis wordt, blijft er nog één ding over dat niemand kan kopen: vertrouwen. Tim Ferriss zag zijn boekverkoop door AI met 57 procent kelderen en valt terug op duizend echte fans. De moraal is even simpel als urgent: het venster om je eigen publiek op te bouwen sluit.

Sterkte. En pas op voor Alexander Slopping.

Deze aflevering wordt mede mogelijk gemaakt door Denkproducties. Schrijf je via denkproducties.nl/pom in voor het Amsterdam Business Forum en je krijgt als POM-luisteraar automatisch toegang tot een exclusieve sessie met Seth Godin.

Door lezen over Carbon Equity, dat investeert in bedrijven die het klimaat redden, zoals Carbon Cure dat CO2 opslaat in beton? Kijk dan op carbonequity.com

En dan nog zelfpromo in relatie tot POM: bij AI Report draait een webinarreeks over hoe je een persoonlijk kennissysteem bouwt waar je taalmodel uit kan putten. Drie hoorcolleges, voor twaalf euro ben je al binnen via aireport.nl

The Extended Stable channel has been updated to 148.0.7778.280 for Windows and Mac which will roll out over the coming days/weeks.

The Stable channel has been updated to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 18 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information

[TBD][520656244] Critical CVE-2026-13028: Use after free in WebGL. Reported by anonymous on 2026-06-07

[N/A][523591974] Critical CVE-2026-13032: Use after free in WebGL. Reported by Google on 2026-06-13

[N/A][523677844] Critical CVE-2026-13033: Out of bounds read in Blink>InterestGroups. Reported by Google on 2026-06-13

[N/A][523740781] Critical CVE-2026-13038: Use after free in Autofill. Reported by Google on 2026-06-14

[N/A][511776603] High CVE-2026-13021: Inappropriate implementation in DeviceBoundSessionCredentials. Reported by Google on 2026-05-10

[N/A][516734537] High CVE-2026-13022: Inappropriate implementation in Autofill. Reported by Google on 2026-05-26

[N/A][517080836] High CVE-2026-13023: Uninitialized Use in GPU. Reported by Google on 2026-05-27

[N/A][517148260] High CVE-2026-13024: Insufficient validation of untrusted input in Navigation. Reported by Google on 2026-05-27

[N/A][518043569] High CVE-2026-13025: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-05-30

[N/A][519728279] High CVE-2026-13026: Use after free in Digital Credentials. Reported by Google on 2026-06-03

[N/A][520543781] High CVE-2026-13027: Use after free in FileSystem. Reported by Google on 2026-06-05

[N/A][521495992] High CVE-2026-13029: Use after free in Web Authentication. Reported by Google on 2026-06-08

[N/A][522840723] High CVE-2026-13030: Uninitialized Use in GPU. Reported by Google on 2026-06-11

[N/A][523308824] High CVE-2026-13031: Use after free in Blink. Reported by Google on 2026-06-12

[N/A][523699355] High CVE-2026-13034: Inappropriate implementation in Passwords. Reported by Google on 2026-06-13

[N/A][523704570] High CVE-2026-13035: Use after free in Bluetooth. Reported by Google on 2026-06-13

[N/A][523711130] High CVE-2026-13036: Use after free in Blink. Reported by Google on 2026-06-13

[N/A][523721871] High CVE-2026-13037: Use after free in WebView. Reported by Google on 2026-06-14

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Daniel Yip

Google Chrome

njs-1.0.0 version has been released, deprecating the njs engine in favor of QuickJS, aligning exception classes between the engines, and hardening ngx.fetch() request validation.

Today, we would like to show you a preview of one of the most famous and unique landscapes we have been recreating for the South Dakota DLC for American Truck Simulator - the beautiful Badlands National Park!

Situated along the edge of the Great Plains in southwestern South Dakota, Badlands National Park spans 244,000 acres of dramatically eroded buttes, pinnacles, and spires, alongside the largest protected mixed-grass prairie in the United States.

But why is such a stunning area named Badlands? For hundreds of years, the Lakota people have called it "mako sica", which translates to "bad lands". Then, early French fur trappers called the area "les mauvaises terres à traverser" (bad lands to travel across). Because when it rains there, the wet clay becomes sticky, and the jagged canyons also make it hard to navigate. The winters are cold and windy, and the summers are hot and dry. But it could have had a very different name, as in 1922, when Badlands was first proposed as a national park, the suggested name was Wonderland National Park.

The Badlands contain one of the world's richest fossil beds, preserving evidence of ancient species such as horses and rhinos that once roamed the region. Today, the area is home to bison, bighorn sheep, prairie dogs, and a diverse range of other plant and animal life. As players enter this region in the game, they will be immediately greeted by roaming bison and striking rock formations.

As you drive further, you'll come across iconic places like Pinnacles Overlook, Yellow Mounds Overlook, and the Fossil Trail.

"I fell in love with this place the first time we visited it on our research trip; it's like stepping into another world, where lush green grass blends with the colorful local soil and rolling hills," says Draky, our map designer who worked on recreating this national park for our game.

One thing you may notice in this region is the sudden transition from expansive plains and gentle hills to a dramatic, iconic landscape characterized by rugged formations and large wildlife such as the bison. As the seasons change, the Badlands vegetation undergoes significant shifts in color throughout the year. The version depicted in the game reflects how the landscape appears between July and August, in which the game is set.

Draky also shares her insight on how difficult it was to transfer this wonderful area into the scale of American Truck Simulator, with a message to our community: "The biggest challenge was the initial layout planning, as the space is quite limited, but I'm still very happy with the result, and I'm sure you'll love experiencing this place every time you pass through."

We hope you are looking forward to exploring the Badlands. If so, make sure to add the South Dakota DLC to your Steam wishlist! 

Also, remember to follow us on X/Twitter, Facebook, Instagram, Bluesky, and YouTube for all the latest news from this map expansion and other American Truck Simulator information, or sign up for our newsletter to stay informed. Keep on truckin'!