asterisk-18.26.4-1.fc44
- asterisk-18.26.4-1.fc44
Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are fixed in this update:
- CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
- CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
- CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
- CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
- CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
- CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
- CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
- CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
- CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
- CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
- CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
- CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
- CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak
Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).