Asterisk Security Releases 22.5.1, 21.10.1, 20.15.1, 18.26.3, Certified 20.7-cert7

https://github.com/asterisk/asterisk/releases/tag/22.5.1
https://github.com/asterisk/asterisk/releases/tag/21.10.1
https://github.com/asterisk/asterisk/releases/tag/20.15.1
https://github.com/asterisk/asterisk/releases/tag/18.26.3
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert7

https://downloads.asterisk.org/pub/telephony/asterisk

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

• Commits: 2
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 2
  • GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty “9” which probably won’t exist
  in modern systems.

• George Joseph: (1)
• ThatTotallyRealMyth: (1)

• !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
• !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

• George Joseph (1):
  • res_stir_shaken: Test for missing semicolon in Identity header.
• ThatTotallyRealMyth (1):
  • safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
• res_stir_shaken: Test for missing semicolon in Identity header.