-------------------------------------------------------------------------
Debian LTS Advisory DLA-4515-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lukas Märdian
March 29, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : asterisk
Version : 1:16.28.0~dfsg-0+deb11u9
CVE ID : CVE-2026-23738 CVE-2026-23739 CVE-2026-23740 CVE-2026-23741
Debian Bug : 1127438
Multiple vulnerabilities were discovered in asterisk, an Open Source Private
Branch Exchange (PBX) and telephony toolkit.
CVE-2026-23738
XSS vulnerability in the /httpstatus page. Cookie names/values and GET
parameter names/values are rendered without HTML-escaping, allowing
reflected cross-site scripting attacks. The status page is now also
disabled by default.
CVE-2026-23739
XXE injection vulnerability in xml.c. The XML parsing functions allow
external entity processing which can be exploited for XML External Entity
injection attacks via network-based entity resolution.
CVE-2026-23740
Privilege escalation via ast_coredumper gdbinit file permissions. The
script creates temporary files with default umask permissions, potentially
allowing local users to read or tamper with sensitive debugging data.
CVE-2026-23741
Privilege escalation via ast_coredumper sourcing configuration files
without ownership or permission checks. When running as root, a non-root
user could place a malicious config file that gets sourced with root
privileges.
For Debian 11 bullseye, these problems have been fixed in version
1:16.28.0~dfsg-0+deb11u9.
We recommend that you upgrade your asterisk packages.
For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature