Certified Asterisk Security Release certified-20.7-cert5

asteriskteam · May 22, 2025, 3:46pm

The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert5.

The release artifacts are available for immediate download at

and

Repository: GitHub - asterisk/asterisk: The official Asterisk Project repository.
Tag: certified-20.7-cert5

Change Log for Release asterisk-certified-20.7-cert5

Links:

Summary:

Commits: 2
Commit Authors: 1
Issues Resolved: 0
Security Advisories Resolved: 2
- GHSA-2grh-7mhv-fcfw: Using malformed From header can forge identity with “;” or NULL in name portion
- GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands

User Notes:

asterisk.c: Add option to restrict shell access from remote consoles.
A new asterisk.conf option ‘disable_remote_console_shell’ has
been added that, when set, will prevent remote consoles from executing
shell commands using the ‘!’ prefix.
Resolves: #GHSA-c7p6-7mvq-8jq2

Upgrade Notes:

Commit Authors:

George Joseph: (2)

Issue and Commit Detail:

Closed Issues:

!GHSA-2grh-7mhv-fcfw: Using malformed From header can forge identity with “;” or NULL in name portion
!GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands

Commits By Author:

George Joseph (2):
- res_pjsip_messaging.c: Mask control characters in received From display name
- asterisk.c: Add option to restrict shell access from remote consoles.

Commit List:

asterisk.c: Add option to restrict shell access from remote consoles.
res_pjsip_messaging.c: Mask control characters in received From display name

Commit Details:

asterisk.c: Add option to restrict shell access from remote consoles.

Author: George Joseph
Date: 2025-05-19

UserNote: A new asterisk.conf option ‘disable_remote_console_shell’ has
been added that, when set, will prevent remote consoles from executing
shell commands using the ‘!’ prefix.

Resolves: #GHSA-c7p6-7mvq-8jq2

res_pjsip_messaging.c: Mask control characters in received From display name

Author: George Joseph
Date: 2025-03-24

Incoming SIP MESSAGEs will now have their From header’s display name
sanitized by replacing any characters < 32 (space) with a space.

Resolves: #GHSA-2grh-7mhv-fcfw

Topic		Replies	Views
Certified Asterisk Security Release certified-18.9-cert14 Asterisk News	2	14	May 22, 2025
Asterisk Security Release 20.14.1 Asterisk News	2	7	May 22, 2025
Asterisk Security Release 22.4.1 Asterisk News	2	10	May 22, 2025
Certified Asterisk Security Release certified-20.7-cert2 Asterisk News	3	20	September 5, 2024
Asterisk Security Release 21.9.1 Asterisk News	2	7	May 22, 2025

Certified Asterisk Security Release certified-20.7-cert5

Change Log for Release asterisk-certified-20.7-cert5

Links:

Summary:

User Notes:

asterisk.c: Add option to restrict shell access from remote consoles.

Upgrade Notes:

Commit Authors:

Issue and Commit Detail:

Closed Issues:

Commits By Author:

George Joseph (2):

Commit List:

Commit Details:

asterisk.c: Add option to restrict shell access from remote consoles.

res_pjsip_messaging.c: Mask control characters in received From display name

Related topics