Asterisk Security Release 18.26.2 Now Available ⋆ Asterisk

Asterisk 18.26.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.26.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 18.26.2

Change Log for Release asterisk-18.26.2

Summary:

Commits: 2
Commit Authors: 1
Issues Resolved: 0
Security Advisories Resolved: 2
- GHSA-2grh-7mhv-fcfw: Using malformed From header can forge identity with “;” or NULL in name portion
- GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands

User Notes:

asterisk.c: Add option to restrict shell access from remote consoles.

A new asterisk.conf option ‘disable_remote_console_shell’ has
been added that, when set, will prevent remote consoles from executing
shell commands using the ‘!’ prefix.
Resolves: #GHSA-c7p6-7mvq-8jq2

Upgrade Notes:

Commit Authors:

George Joseph: (2)

Issue and Commit Detail:

Closed Issues:

GHSA-2grh-7mhv-fcfw: Using malformed From header can forge identity with “;” or NULL in name portion
GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands

Commits By Author:

George Joseph (2):
- res_pjsip_messaging.c: Mask control characters in received From display name
- asterisk.c: Add option to restrict shell access from remote consoles.

Commit List:

asterisk.c: Add option to restrict shell access from remote consoles.
res_pjsip_messaging.c: Mask control characters in received From display name

Commit Details:

asterisk.c: Add option to restrict shell access from remote consoles.

Author: George Joseph
Date: 2025-05-19

UserNote: A new asterisk.conf option ‘disable_remote_console_shell’ has
been added that, when set, will prevent remote consoles from executing
shell commands using the ‘!’ prefix.

Resolves: #GHSA-c7p6-7mvq-8jq2

res_pjsip_messaging.c: Mask control characters in received From display name

Author: George Joseph
Date: 2025-03-24

Incoming SIP MESSAGEs will now have their From header’s display name
sanitized by replacing any characters < 32 (space) with a space.

Resolves: #GHSA-2grh-7mhv-fcfw

Asterisk Security Release 18.26.2 Now Available

Change Log for Release asterisk-18.26.2

Links:

Summary:

User Notes:

asterisk.c: Add option to restrict shell access from remote consoles.

Upgrade Notes:

Commit Authors:

Issue and Commit Detail:

Closed Issues:

Commits By Author:

George Joseph (2):

Commit List:

Commit Details:

asterisk.c: Add option to restrict shell access from remote consoles.

res_pjsip_messaging.c: Mask control characters in received From display name

What can we help you find?

Download Asterisk

Get Started

Other Resources