• View downloads
• View release notes

• View downloads

• View downloads
• View release notes

• View downloads

Part-DB 2.13.1

This version is identical to Part-DB 2.13.0. See Release Notes there for list of changes.

This version is to fix the build and tagging of the docker images to fix issue #1430

Full Changelog: v2.13.0...v2.13.1

Part-DB 2.13.0

New features & Improvements

• Improved password strength estimator and show time to crack estimate in tooltip
• Use better library for alerts and dialogs, instead of the outdated bootbox
• Improved page load error dialog
• Added bootswatch*s brite theme as possible theme
• Added Ollama as (local) AI provider
• Allow to configure the timeout for AI providers, making it more suitable for slow local inference
• Added full chinese translation (thannks @0x915)
• Allow to edit info provider references in part edit form

Bug fixes

• Fixed bug that stocktake date changed on part edit (#1390)

Other changes

• Updated dependencies
• Updated KiCad symbols
• Fixed many deprecations

New Contributors

• @0x915 made their first contribution in #1426

Full Changelog: v2.12.3...v2.13.0

1.7.6 (2026-06-28)

Breaking Changes

• S/MIME: The built-in S/MIME implementation has been removed from core and re-delivered through the new generic crypto plugin hooks (privileged same-origin plugin tier). S/MIME signing, encryption, decryption, certificate management, and the related settings UI now live in a plugin rather than the main app. Deployments that relied on built-in S/MIME must install the S/MIME crypto plugin to retain those features.

Thank you for your donations:

• You? Become a sponsor!

One-time

• Anonymous

Monthly

• @elgringoYan
• @pauladams8
• @djpriest
• @umakers
• @zplizzi
• @jeremiah
• @Theoretisch1337
• @svandive
• @HiltMundell

Features

• Plugins: Privileged same-origin plugin tier with a crypto API surface
• Plugins: Plugin hooks for email details, headers, and source
• Mail: Option to hide the total message count on folders (#498)

Fixes

• Mail: Hide the server scheduled folder when the virtual one is shown (#495)
• Mail: Stop the unified mailbox from mutating client-returned email objects
• Composer: HTML-escape sender and subject in the reply/forward quote header (#482)
• Calendar: Send calendar invites by setting organizerCalendarAddress
• Identity: Sync the default identity (preferredPrimaryId) to server settings (#507)
• Auth: Support MFA login via the structured auth endpoint
• Admin: Show all built-in themes in the admin theme controls (#496)
• i18n: Add missing translation keys across 19 locales

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.06.28

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.06.28

Changes

• upgrade to Angular 22 (51fd203)
• upgrade dependencies (d136344)
• Bump actions/checkout from 6 to 7 in the github-actions group (33f1412)

🚀 Jellyfin Web 12.0 RC2

We are pleased to announce the second release candidate preview release of Jellyfin 12.0!

This is a preview release, intended for those interested in testing 12.0 before it's final public release. We welcome testers to help find as many bugs as we can before the final release.

As always, please ensure you stop your Jellyfin server and take a full backup before upgrading!

A note about versioning

Starting with this release, we are dropping the preceeding 10. from our versioning. Thus, 10.11.x -> [10.]12.x = 12.x. The reason is simple: at this point in the project, we don't envision a hard break in the API like we planned way back in the early days, and this version scheme was causing a lot of confusion amongst users about what a "major" release was. For more information, please see the RC1 release notes.

What's new?

The main goal of this release has been performance. 10.11.0 dropped a major backend rewrite, and while it was broadly functional, it had a lot of rough edges. This release seeks to polish out most of those rough edges and bring better performance to all users.

There are many other small fixes, improvements, changes, and translations. See our draft release notes here or below for the full list of pull requests. You can also view the Server side changelog here.

Note: You must be on Jellyfin 10.10.7+ or 10.11.x (ideally, 10.11.11) before upgrading! If you are not, the upgrade will fail. Ensure you upgrade to one of these versions first!

Note: The initial load of Jellyfin 12.x will run a few migrations and will take several minutes. Please be patient and do not interrupt the process. You can leverage the (newly improved!) startup UI on your local network to see specific progress, or off-network to see general progress, by visiting the server URL in your web browser during startup.

Note: If you install the RC, you should disable all external plugins and reinstall using the unstable plugin repository, or plugins may fail to load and cause unintended side effects.

Installing

This preview release is distributed in all our traditional forms, though not automatically via our Apt repository or latest tag.

• For all non-Docker environments, you can find the files for manual download in our repository by selecting "Stable Preview" for your OS.
• For Docker, you can pull the 12.0-rc2 or preview tags.

What's Changed (since v12.0-rc1)

• Fix startup crash when ApiClient has no serverId yet by @joshuaboniface in #8088

Full Changelog: v12.0-rc1...v12.0-rc2

🚀 Jellyfin Server 12.0 RC2

We are pleased to announce the second release candidate preview release of Jellyfin 12.0!

This is a preview release, intended for those interested in testing 12.0 before it's final public release. We welcome testers to help find as many bugs as we can before the final release.

As always, please ensure you stop your Jellyfin server and take a full backup before upgrading!

A note about versioning

Starting with this release, we are dropping the preceeding 10. from our versioning. Thus, 10.11.x -> [10.]12.x = 12.x. The reason is simple: at this point in the project, we don't envision a hard break in the API like we planned way back in the early days, and this version scheme was causing a lot of confusion amongst users about what a "major" release was. For more information, please see the RC1 release notes.

What's new?

The main goal of this release has been performance. 10.11.0 dropped a major backend rewrite, and while it was broadly functional, it had a lot of rough edges. This release seeks to polish out most of those rough edges and bring better performance to all users.

There are many other small fixes, improvements, changes, and translations. See our draft release notes here or below for the full list of pull requests. You can also view the Web side changelog here.

Note: You must be on Jellyfin 10.10.7+ or 10.11.x (ideally, 10.11.11) before upgrading! If you are not, the upgrade will fail. Ensure you upgrade to one of these versions first!

Note: The initial load of Jellyfin 12.x will run a few migrations and will take several minutes. Please be patient and do not interrupt the process. You can leverage the (newly improved!) startup UI on your local network to see specific progress, or off-network to see general progress, by visiting the server URL in your web browser during startup.

Note: If you install the RC, you should disable all external plugins and reinstall using the unstable plugin repository, or plugins may fail to load and cause unintended side effects.

Installing

This preview release is distributed in all our traditional forms, though not automatically via our Apt repository or latest tag.

• For all non-Docker environments, you can find the files for manual download in our repository by selecting "Stable Preview" for your OS.
• For Docker, you can pull the 12.0-rc2 or preview tags.

What's Changed (since v12.0-rc1)

• Fix too many SQL variables in DeleteItem for large batch deletes by @joshuaboniface in #17153
• Don't run heavy DB tasks while scan is running by @Shadowghost in #17182
• Fix local Comic book plugin registration by @Shadowghost in #17188
• Fix Live TV tuner not releasing by @theguymadmax in #17178
• Fix localization lookup by @Shadowghost in #17187
• Fix embedded lyrics not updating on replace all refresh by @theguymadmax in #17134
• Revamp startup UI for visual style and usability by @joshuaboniface in #17154
• Use Convert.ToHexStringLower for Schedules Direct password hash by @obrenoalvim in #17174
• Live TV: re-fetch channel icons on guide refresh by @danieltutuianu in #16914
• Reject unsafe plugin package names in installer by @dfederm in #17013
• Batch duplicate-cleanup deletes in merge migrations by @Shadowghost in #17162
• Remove orphaned people by @theguymadmax in #17140
• Update CI dependencies by @renovate[bot] in #17176
• Update dependency Microsoft.NET.Test.Sdk to 18.7.0 by @renovate[bot] in #17167
• Update swashbuckle-aspnetcore monorepo to 10.2.3 - autoclosed by @renovate[bot] in #17141
• Update actions/checkout action to v7 by @renovate[bot] in #17131

New Contributors

• @obrenoalvim made their first contribution in #17174
• @danieltutuianu made their first contribution in #16914

Full Changelog: v12.0-rc1...v12.0-rc2

Fixes and improvements

General

• playback: fix panic when MP4 muxer flushes with no samples (#5867)
• redact sensitive headers in HTTP debug logs (#5873)
• fix(recordstore): decode timezone offset minutes correctly (#5884)
• improve HTTP server performance (#5886) log incoming requests without cloning.
• prevent truncation of 64-bit values on 32-bit platforms (#5902)

RTSP

• add rtspScale parameter to inject Scale header on PLAY (#5800)
• client: switch automatically to TCP in case of H264 packetization-mode=0 (bluenviron/gortsplib#1086)
• support VP8 streams with multiple partitions (https://github.com/bluenviron/mediamtx/issues/5426) (bluenviron/gortsplib#1090)
• allow FU-A and STAP-A packets with H264 packetization-mode 0 (#5887) (bluenviron/gortsplib#1092)

WebRTC

• skip unresolvable webrtcAdditionalHosts entries instead of aborting (#5845)

RPI Camera

• support encoding primary stream with MJPEG (2/2) (#5892)
• support encoding secondary stream with H264 (2/2) (#4485) (#5898)
• add unified rpiCameraH264Profile, rpiCameraH264Level params (#5894) These replace rpiCameraHardwareH264Profile, rpiCameraHardwareH264Level, rpiCameraSoftwareH264Profile, rpiCameraSoftwareH264Level.
• fix race condition that prevents decoding the stream (bluenviron/mediamtx-rpicamera#109) (#5861) When a player immediately connects to a newly-created stream, SPS/PPS might not be available, neither in the SDP and neither in-band. Prevent the issue by always sending SPS/PPS in-band.
• improve performance by computing frame size once (bluenviron/mediamtx-rpicamera#111)
• fix wrong timestamp being passed to openh264 (bluenviron/mediamtx-rpicamera#114)

Dependencies

• code.cloudfoundry.org/bytefmt updated from v0.76.0 to v0.78.0
• github.com/abema/go-mp4 updated from v1.6.0 to v1.7.1
• github.com/bluenviron/gortsplib/v5 updated from v5.6.0 to v5.6.1
• github.com/bluenviron/mediacommon/v2 updated from v2.9.0 to v2.9.1
• github.com/matthewhartstonge/argon2 updated from v1.5.4 to v1.5.5
• github.com/pion/sdp/v3 updated from v3.0.18 to v3.0.19
• github.com/quic-go/webtransport-go updated from v0.10.0 to v0.11.0
• github.com/pion/srtp/v3 updated from v3.0.11 to v3.0.12
• github.com/bluenviron/mediamtx-rpicamera updated from v2.6.0 to v2.8.0

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

Ampere has generously donated a server to FFmpeg: an AmpereOne® (Mt. Mitchell) 2U system with 192 Arm cores, 512 GB of RAM, 24 NVMe bays and 2×25G networking, weighing in at 28 kg. Thank you, Ampere!

To celebrate, Dascha (daschasara) answered FFmpeg's call for non-AI artwork and drew this piece for us:

Artwork by Dascha (daschasara)

Changelog

• ac5c3b4 Add WebsiteConfiguration types, validation, and S3 error codes
• 375c276 Add website integration tests and remove NotImplemented stubs
• 04bb314 chore(deps): bump actions/checkout from 6 to 7
• 0d03381 chore(deps): bump the dev-dependencies group across 1 directory with 12 updates
• 8453a5b chore(deps): bump the dev-dependencies group with 23 updates
• 2a40e19 chore(deps): bump the dev-dependencies group with 24 updates
• 27e90ce feat(helm): Make it possible to specify deployment strategy
• 4599daa feat: Add 'topologySpreadConstraints'
• 6f1dfe8 feat: add options extensions to embed config
• 27f04ad feat: add windows functional test coverage and fix some windows behavior
• 1625c59 feat: improve static website hosting support
• 4d391ca feat: migrate Fiber to v3.3.0
• f08f76f feat: support x-amz-website-redirect-location
• 9610ef8 fix: prevent connection errors in space/quotas error paths
• cf4bc65 fix: prevent index-out-of-range panic in s3proxy GetBucketOwnershipControls
• 50e64f7 fix: prevent nil pointer panic in webhook sendLog
• 422b5a7 fix: prevent panic in ParseCopySource on empty input
• 12fb5a6 fix: reject empty Content-MD5 on PUT operations
• 6df901b fix: support asterisk read preconditions
• 67af0af fix: validate object lock default retention upper limits
• 8495cf4 s3api: add WithOnListen option for server readiness notification

In today's blog, we're excited to share something we know our #BestCommunityEver has been eagerly waiting for - the first gameplay video preview from project Road Trip, with the Ford F-150 as the first vehicle in the spotlight.

The Ford F-150 has earned its legendary status over decades at the top as America's best-selling car, built on a foundation of reliability, toughness, and continuous innovation. In this gameplay preview, we take a relaxed drive with the 2023 Ford F-150 Lariat, one of the vehicles included in the upcoming Ford Car Pack for American Truck Simulator.

We begin our journey on the roads near the city of Redding in sunny California. From there, the route takes us through busier traffic areas before transitioning to a dirt road, where the F-150 truly shines, showcasing its smooth handling and impressive capability on uneven, rugged terrain. So without further ado, let's take a look!

We hope you have enjoyed the first video preview from the Road Trip project, but remember that everything you saw is still very much a work in progress, such as the vehicle sounds and behaviour, and will be adjusted before the release. We can't wait to bring you more previews of what Road Trip will look like in our game, so stay tuned.

We would also like to thank Ford very much for enabling us to bring this amazing vehicle into our game! If you are looking forward to hitting the road in the F-150, make sure to add the Ford Car Pack for American Truck Simulator to your Steam Wishlist.

Also, remember to stay up to date with the latest Road Trip developments by subscribing to our newsletter or following us on X/Twitter, Facebook, BlueSky, and Instagram. Until next time, we will see you on the road!

Releases Notes for 30.2.6

Windows Installer
Windows No Installer (zip)
macOS - Universal
Linux - deb, AppImage or rpm

Windows intel x32 releases are marked -ia32-

ChangeLog:

• Uses electron 42.5.0
• #2452
• Updates to draw.io core 30.2.6.

The Stable channel has been updated to 149.0.7827.200/201 for Windows and Mac and 149.0.7827.200 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 3 security fixes. Please see the Chrome Security Pagefor more information.

[N/A][513138301] High CVE-2026-13281: Integer overflow in Mojo. Reported by Google on 2026-05-14

[N/A][517522620] High CVE-2026-13282: Use after free in Payments. Reported by Google on 2026-05-28

[N/A][522561151] High CVE-2026-13283: Use after free in AdFilter. Reported by Google on 2026-06-11

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Even though the 1.60 update for both Euro Truck Simulator 2 and American Truck Simulator was released just last week, we are already working on features for future updates. And since we want to gather as much feedback from our #BestCommunityEver, we are starting an experimental beta way in advance of the actual update release, with focus on two upcoming features - the Multi-Function Display and In-Game Menu. To make sure we get it right, we need your help!

As mentioned above, this time, we are starting the beta cycle from an early stage. The level of polish and stability in this release might not yet be on the same level as with our typical Open Betas. However, we recognize the importance of involving our community in the development process and need to gather feedback early to help us identify any imperfections.

With the Experimental Beta, we would like to invite our dedicated players to join us in fine-tuning, testing, and providing feedback on the upcoming Multi-Function Display and In-Game Menu features for both games. We appreciate all of your feedback on our forum and your bug reports in the dedicated section for ATS and ETS2.

Multi-Function Display

The MFD has been part of our vision to improve the overall in-game driving interface and accessibility of vehicle systems. Our goal is to create a more unified and intuitive way to access vehicle functions directly in-game, without the need to interrupt your experience or remember dozens of keybinds.

The MFD is an in-game interface accessible from both interior and exterior camera views. From there, you can quickly navigate through various categories and vehicle systems such as driving assists, lighting controls, vehicle adjustments, media functions, trip information, and more.

One of the main goals of this feature is to reduce interruptions while accessing vehicle systems and information. In most situations, opening the MFD will not pause gameplay, and vehicle controls will remain responsive during interaction.

Another key goal of this feature is discoverability. Over the years, ETS2 and ATS have accumulated many functions and controls that players may never encounter. The MFD helps make these features easier to find by presenting them in context and displaying their associated key binds directly within the menu.

The MFD is designed to support keyboard, mouse, wheel, and controller (both on PC and consoles in the future) users alike, with customisable navigation controls. You can read more about this feature here.

Please note that for the purposes of MFD in Experimental Beta, the controllers will only support In-Game Mapping Mode (which is the recommended default). The support for Steam Client Input Mode will be added only for the full release.

In-Game Menu

The In-Game Menu is a new quick-access overlay presented as a compact horizontal bar at the top of the screen, providing players with instant access to essential functions.

In the new design, the In-Game Menu, accessible via F1, includes two roles: it provides access to functions exclusive to it, while retaining quick access to selected functions that were previously available through F4 and F7. In-Game menu now consolidates what was previously spread across F1, F4, and F7, providing more immediate access to important system and gameplay functions.

From this bar, players can quickly access controls, photo mode, widget options, services, vehicle adjustments, and the quick info menu.

In single-player mode, opening the In-Game Menu will pause the game. For now, the In-Game Menu will not be accessible while driving in the convoy, but we are exploring ways in which players can use some of the menu's functions while driving in multiplayer.

Don't forget that both of these features are still in a work-in-progress phase and are undergoing internal and external testing and adjustments, so your feedback is crucial in helping us polish them before the final release.

We hope you'll enjoy these new additions, but please remember: It's only an experimental beta, not an open beta yet or even a stable public version, so you may encounter bugs, instability, or crashes - which is where we need your input the most to solve any of these issues. The new features for both games will also be available only in English, so it's completely okay if you want to wait for the open beta or the final release. But if you're interested in helping us get there faster, we'll appreciate all of your feedback on our forum.

If you wish to participate in this Experimental Beta, you can find this version in the Experimental Beta branch on Steam. The way to access it is as follows: Steam client → LIBRARY → right-click on Euro Truck Simulator 2 or American Truck Simulator → Properties → Betas tab → Beta Participation drop-down menu → experimental_beta. No password is required. Sometimes you will have to restart your Steam client to see the correct branch name there.

Thank you for your ongoing dedication and feedback. We believe the Experimental Beta will be a valuable stepping stone towards Open Beta and the 1.61 version. Don't forget to stay connected with us and all the latest information through our social media channels, make sure to follow us on X/Twitter, Instagram, Facebook, Bluesky, and TikTok. Happy trucking!

The Asterisk Development Team would like to announce security release
Asterisk 23.4.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.4.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.4.1

Change Log for Release asterisk-23.4.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 19
• Commit Authors: 6
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Mike Bradeen: (3)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Mike Bradeen (3):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

The Asterisk Development Team would like to announce security release
Asterisk 22.10.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.10.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.10.1

Change Log for Release asterisk-22.10.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 19
• Commit Authors: 6
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Mike Bradeen: (3)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Mike Bradeen (3):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

The Asterisk Development Team would like to announce security release
Asterisk 21.12.3.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.3
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.3

Change Log for Release asterisk-21.12.3

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 21
• Commit Authors: 7
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

• acl: Add ACL support to http and ari

  A new section, type=restriction has been added to http.conf
  to allow an uri prefix based acl to be configured. See
  http.conf.sample for examples and more information.
  The user section of ari.conf can now contain an acl configuration
  to restrict users access. See ari.conf.sample for examples and more
  information

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Joshua C. Colp: (1)
• Mike Bradeen: (4)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Joshua C. Colp (1):

  • build: Fix GCC discarded-qualifiers const errors.

• Mike Bradeen (4):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging
  • acl: Add ACL support to http and ari

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow
• acl: Add ACL support to http and ari
• build: Fix GCC discarded-qualifiers const errors.

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

acl: Add ACL support to http and ari

Author: Mike Bradeen
Date: 2026-02-27

Add uri prefix based acl support to the built in http server.
This allows an acl to be added per uri prefix (ie '/metrics'
or '/ws') to restrict access.

Add user based acl support for ARI. This adds new acl options
to the user section of ari.conf to restrict access on a per
user basis.

resolves: #1799

UserNote: A new section, type=restriction has been added to http.conf
to allow an uri prefix based acl to be configured. See
http.conf.sample for examples and more information.
The user section of ari.conf can now contain an acl configuration
to restrict users access. See ari.conf.sample for examples and more
information

build: Fix GCC discarded-qualifiers const errors.

Author: Joshua C. Colp
Date: 2026-02-12

GCC 15.2.1 pays attention to the discarding of the const
qualifier when strchr, strrchr, memchr, or memrchr are now
used. This change fixes numerous errors with this throughout
the tree. The fixes can be broken down into the following:

1. The return value should be considered const.
2. The value passed to strchr or strrchr can be cast as it is
   expected and allowed to be modified.
3. The pointer passed to strchr or strrchr is not meant to be
   modified and so the contents must be duplicated.
4. It was declared const and never should have been.

The Asterisk Development Team would like to announce security release
Asterisk 20.20.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.20.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.20.1

Change Log for Release asterisk-20.20.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 18
• Commit Authors: 6
• Issues Resolved: 0
• Security Advisories Resolved: 19
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Mike Bradeen: (2)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Mike Bradeen (2):

  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

The Asterisk Development Team would like to announce security release
Certified Asterisk 22.8-cert3.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert3
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert3

Change Log for Release asterisk-certified-22.8-cert3

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 21
• Commit Authors: 7
• Issues Resolved: 0
• Security Advisories Resolved: 20
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

• acl: Add ACL support to http and ari

  A new section, type=restriction has been added to http.conf
  to allow an uri prefix based acl to be configured. See
  http.conf.sample for examples and more information.
  The user section of ari.conf can now contain an acl configuration
  to restrict users access. See ari.conf.sample for examples and more
  information

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (6)
• Joshua C. Colp: (1)
• Mike Bradeen: (4)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-h5hv-jmgj-92q2: CVE-2022-37325 fix is absent from current chan_ooh323 Q.931 party-number parser
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-wcvv-g26m-wx5c: ARI REST-over-WebSocket read-only bypass allows arbitrary module path load and conditional RCE
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (6):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Joshua C. Colp (1):

  • build: Fix GCC discarded-qualifiers const errors.

• Mike Bradeen (4):

  • ooh323c: not checking for IE minimum length
  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging
  • acl: Add ACL support to http and ari

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• ooh323c: not checking for IE minimum length
• res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow
• acl: Add ACL support to http and ari
• build: Fix GCC discarded-qualifiers const errors.

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

ooh323c: not checking for IE minimum length

Author: Mike Bradeen
Date: 2022-06-06

When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.

Resolves: #GHSA-h5hv-jmgj-92q2

res_ari: Ensure read-only users are properly authorized via REST Over WebSocket.

Author: George Joseph
Date: 2026-06-12

The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.

• The query parameters from the original incoming GET request that caused the
  upgrade to WebSocket are now passed to all REST requests that come from the
  client. This ensures that if the client authenticated with a read-only
  userid using the "api_key" query_string parameter, REST requests coming
  in over the WebSocket will only be able to execute GETs on resources.
  The HTTP headers were already passed to the REST requests so if the
  client had authenticated via an "Authorization" it was properly handled.

• New tests have been added to test_ari.c to check that read-only users
  are properly denied access to resources using non-GET methods. Several
  memory leaks were also squashed.

Resolves: #GHSA-wcvv-g26m-wx5c

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

acl: Add ACL support to http and ari

Author: Mike Bradeen
Date: 2026-02-27

Add uri prefix based acl support to the built in http server.
This allows an acl to be added per uri prefix (ie '/metrics'
or '/ws') to restrict access.

Add user based acl support for ARI. This adds new acl options
to the user section of ari.conf to restrict access on a per
user basis.

resolves: #1799

UserNote: A new section, type=restriction has been added to http.conf
to allow an uri prefix based acl to be configured. See
http.conf.sample for examples and more information.
The user section of ari.conf can now contain an acl configuration
to restrict users access. See ari.conf.sample for examples and more
information

build: Fix GCC discarded-qualifiers const errors.

Author: Joshua C. Colp
Date: 2026-02-12

GCC 15.2.1 pays attention to the discarding of the const
qualifier when strchr, strrchr, memchr, or memrchr are now
used. This change fixes numerous errors with this throughout
the tree. The fixes can be broken down into the following:

1. The return value should be considered const.
2. The value passed to strchr or strrchr can be cast as it is
   expected and allowed to be modified.
3. The pointer passed to strchr or strrchr is not meant to be
   modified and so the contents must be duplicated.
4. It was declared const and never should have been.

The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert11.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert11
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert11

Change Log for Release asterisk-certified-20.7-cert11

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 18
• Commit Authors: 7
• Issues Resolved: 0
• Security Advisories Resolved: 18
  • GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
  • GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
  • GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
  • GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
  • GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
  • GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
  • GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
  • GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
  • GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
  • GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
  • GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
  • GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
  • GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
  • GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
  • GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
  • GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
  • GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
  • GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

User Notes:

Upgrade Notes:

Developer Notes:

• ARI: Make ARI applications respect live_dangerously.

  ARI applications can no longer call "dangerous" dialplan
  functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
  enabling "live_dangerously" in asterisk.conf.
  Resolves: #GHSA-vrfp-mg3q-3959

Commit Authors:

• George Joseph: (5)
• Joshua C. Colp: (1)
• Mike Bradeen: (2)
• Milan Kyselica: (7)
• Pengpeng Hou: (1)
• Roberto Paleari: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-3g56-cgrh-95p5: chan_unistim DIALPAGE digit handling can overflow phone_number and crash Asterisk
• !GHSA-3rhj-hhw7-m6fw: NULL Pointer Dereference in HTTP AMI Digest Authentication
• !GHSA-4pgv-j3mr-3rcp: Reflected XSS in Phone Provisioning HTTP Error Pages
• !GHSA-589g-qgf8-m6mx: Stack buffer overflow in MWI NOTIFY Message-Account parsing
• !GHSA-746q-794h-cc7f: Out-of-Bounds Read in Q.931 Information Element Parser (H.323 Addon)
• !GHSA-8jhw-m2hg-vp3h: Heap Buffer Overflow in OGG/Speex File Playback (format_ogg_speex)
• !GHSA-8jw3-ccr9-xrmf: Buffer over-read in Asterisk PJSIP MWI body parser
• !GHSA-g8q2-p36q-94f6: Heap-use-after-free in Asterisk PJSIP TCP/SDP handling when TCP connection closes during SDP processing
• !GHSA-j2mm-57pq-jh94: Possible RED T.140 Generation Accumulation OOB Write
• !GHSA-mxgm-8c6f-5p8f: Stack buffer overflow in res_xmpp XMPP namespace prefix handling
• !GHSA-ph27-3m5q-mj5m: SQL Injection in cel_pgsql and cel_tds via CELGenUserEvent eventtype Field
• !GHSA-q9fr-m7g8-6ph5: Asterisk app_sms.c copies externally controlled SMS lengths into fixed in-struct buffers
• !GHSA-qf8j-jp7h-c5hx: Out-of-Bounds Write in Codec2 Decoder Due to Floor/Ceil Sample Count Mismatch
• !GHSA-r6c2-hwc2-j4mp: LDAP Filter Injection in res_config_ldap via SIP Username (Unauthenticated Information Disclosure)
• !GHSA-vfhr-r9x9-c687: Possible RED T.140 Heap Buffer Overflow
• !GHSA-vrfp-mg3q-3959: ARI setChannelVar bypasses live_dangerously and permits FILE() writes
• !GHSA-x348-j6c9-77f3: Stack Buffer Overflow in H.323 ooTrace() via Unbounded vsprintf into Fixed 2048-byte Buffer
• !GHSA-xgj6-2gc5-5x9c: ast_loggrabber executes python script in world writable directory(/tmp) leading to potential privilege escalation And RCE

Commits By Author:

• George Joseph (5):

  • chan_unistim.c: Prevent overrun of phone_number field.
  • pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
  • ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
  • ARI: Make ARI applications respect live_dangerously.
  • res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

• Joshua C. Colp (1):

  • build: Fix GCC discarded-qualifiers const errors.

• Mike Bradeen (2):

  • manager: Use remote address in user error logging
  • ooh323: Prevent potential buffer overflow in trace logging

• Milan Kyselica (7):

  • res_xmpp: Fix stack buffer overflow in namespace prefix handling
  • res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
  • res_config_ldap: Escape LDAP filter values per RFC 4515
  • cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
  • http: Escape error page text to prevent reflected XSS
  • codec_codec2: Only process complete Codec2 frames in decoder
  • format_ogg_speex: Add bounds check to prevent heap buffer overflow

• Pengpeng Hou (1):

  • app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

• Roberto Paleari (1):

  • res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

• ThatTotallyRealMyth (1):

  • ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Commit List:

• ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.
• chan_unistim.c: Prevent overrun of phone_number field.
• pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.
• ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.
• ARI: Make ARI applications respect live_dangerously.
• res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.
• res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser
• manager: Use remote address in user error logging
• ooh323: Prevent potential buffer overflow in trace logging
• app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers
• res_xmpp: Fix stack buffer overflow in namespace prefix handling
• res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser
• res_config_ldap: Escape LDAP filter values per RFC 4515
• cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection
• http: Escape error page text to prevent reflected XSS
• codec_codec2: Only process complete Codec2 frames in decoder
• format_ogg_speex: Add bounds check to prevent heap buffer overflow
• build: Fix GCC discarded-qualifiers const errors.

Commit Details:

ast_loggrabber: Install the ast_tsconvert.py script to a secure temp directory.

Author: ThatTotallyRealMyth
Date: 2026-03-19

The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.

Resolves: #GHSA-xgj6-2gc5-5x9c

chan_unistim.c: Prevent overrun of phone_number field.

Author: George Joseph
Date: 2026-06-15

Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

pjsip_message_filter: Use pj_strdup instead of pj_strassign to save local address.

Author: George Joseph
Date: 2026-06-10

The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.

Resolves: #GHSA-g8q2-p36q-94f6

ooh323c/ooq931.c: Ensure ooQ931Decode doesn't run out-of-bounds.

Author: George Joseph
Date: 2026-06-02

Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.

Resolves: #GHSA-746q-794h-cc7f

ARI: Make ARI applications respect live_dangerously.

Author: George Joseph
Date: 2026-05-21

DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.

Resolves: #GHSA-vrfp-mg3q-3959

res_rtp_asterisk.c: Address 2 potential T.140 RED buffer overruns.

Author: George Joseph
Date: 2026-04-27

• Add check to red_t140_to_red() to ensure that the new primary payload
  can't cause the rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->t140red_data buffer.

• Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
  can't cause rtp_red->len array items to wrap or cause an overrun of
  the rtp_red->buf_data buffer.

Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94

res/res_pjsip_pubsub.c: Fix buffer over-read in MWI body parser

Author: Roberto Paleari
Date: 2026-04-29

Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".

Resolves: #GHSA-8jw3-ccr9-xrmf

manager: Use remote address in user error logging

Author: Mike Bradeen
Date: 2026-03-30

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw

ooh323: Prevent potential buffer overflow in trace logging

Author: Mike Bradeen
Date: 2026-03-31

Replace a call to vsprintf with a call to ast_vasprintf to
prevent a possible buffer overflow.

Resolves: #GHSA-x348-j6c9-77f3

app_sms: Bound protocol 1 SMS unpacking to fixed-size buffers

Author: Pengpeng Hou
Date: 2026-04-01

The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.

Resolves: #GHSA-q9fr-m7g8-6ph5

res_xmpp: Fix stack buffer overflow in namespace prefix handling

Author: Milan Kyselica
Date: 2026-03-26

The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.

Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.

Resolves: #GHSA-mxgm-8c6f-5p8f

res_pjsip_pubsub: Add width limit to sscanf in MWI NOTIFY parser

Author: Milan Kyselica
Date: 2026-03-24

The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.

Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.

Resolves: #GHSA-589g-qgf8-m6mx

res_config_ldap: Escape LDAP filter values per RFC 4515

Author: Milan Kyselica
Date: 2026-03-23

The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), ) can be injected via the SIP From header username.

Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.

Resolves: #GHSA-r6c2-hwc2-j4mp

cel_pgsql, cel_tds: Escape eventtype field to prevent SQL injection

Author: Milan Kyselica
Date: 2026-03-23

The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.

For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.

For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.

Resolves: #GHSA-ph27-3m5q-mj5m

http: Escape error page text to prevent reflected XSS

Author: Milan Kyselica
Date: 2026-04-08

The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.

Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.

Resolves: #GHSA-4pgv-j3mr-3rcp

codec_codec2: Only process complete Codec2 frames in decoder

Author: Milan Kyselica
Date: 2026-04-08

The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.

Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.

Resolves: #GHSA-qf8j-jp7h-c5hx

format_ogg_speex: Add bounds check to prevent heap buffer overflow

Author: Milan Kyselica
Date: 2026-03-23

The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.

Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().

Resolves: #GHSA-8jhw-m2hg-vp3h

build: Fix GCC discarded-qualifiers const errors.

Author: Joshua C. Colp
Date: 2026-02-12

GCC 15.2.1 pays attention to the discarding of the const
qualifier when strchr, strrchr, memchr, or memrchr are now
used. This change fixes numerous errors with this throughout
the tree. The fixes can be broken down into the following:

1. The return value should be considered const.
2. The value passed to strchr or strrchr can be cast as it is
   expected and allowed to be modified.
3. The pointer passed to strchr or strrchr is not meant to be
   modified and so the contents must be duplicated.
4. It was declared const and never should have been.