Asterisk Security Release 18.26.1

The Asterisk Development Team would like to announce security release
Asterisk 18.26.1.

The release artifacts are available for immediate download at

and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: GitHub - asterisk/asterisk: The official Asterisk Project repository.
Tag: 18.26.1

Change Log for Release asterisk-18.26.1

Links:

Summary:

  • Commits: 1
  • Commit Authors: 1
  • Issues Resolved: 0
  • Security Advisories Resolved: 1

User Notes:

  • manager.c: Restrict ListCategories to the configuration directory.

    The ListCategories AMI action now restricts files to the
    configured configuration directory.

Upgrade Notes:

Commit Authors:

  • Ben Ford: (1)

Issue and Commit Detail:

Closed Issues:

  • !GHSA-33x6-fj46-6rfh: Path traversal via AMI ListCategories allows access to outside files

Commits By Author:

  • Ben Ford (1):

    • manager.c: Restrict ListCategories to the configuration directory.

Commit List:

  • manager.c: Restrict ListCategories to the configuration directory.

Commit Details:

manager.c: Restrict ListCategories to the configuration directory.

Author: Ben Ford
Date: 2024-12-17

When using the ListCategories AMI action, it was possible to traverse
upwards through the directories to files outside of the configured
configuration directory. This action is now restricted to the configured
directory and an error will now be returned if the specified file is
outside of this limitation.

Resolves: #GHSA-33x6-fj46-6rfh

UserNote: The ListCategories AMI action now restricts files to the
configured configuration directory.