stable

asterisk-18.26.4-1.fc44

FEDORA-2026-38d71393c1 created by peter 2 months ago for Fedora 44

Update to Asterisk 18.26.4, addressing numerous security vulnerabilities accumulated since the long-stale 18.12.1 package. The following CVEs are fixed in this update:

  • CVE-2022-26498 (fixed in 18.13.0): use-after-free in chan_ooh323
  • CVE-2022-42705 (fixed in 18.15.0): use-after-free in res_pjsip_pubsub
  • CVE-2022-37325 (fixed in 18.15.1): crash in H323 channel via malformed IE
  • CVE-2023-37457 (fixed in 18.20.0): buffer overflow in PJSIP_HEADER function
  • CVE-2023-49294 (fixed in 18.20.1): arbitrary file read via AMI GetConfig
  • CVE-2023-49786 (fixed in 18.20.1): DTLS race condition causing DoS
  • CVE-2024-35190 (fixed in 18.23.1): unauthorized SIP requests matched as endpoint
  • CVE-2024-42365 (fixed in 18.24.2): Write=originate allows code execution
  • CVE-2024-42491 (fixed in 18.25.0): crash via malformed Contact/Record-Route URI
  • CVE-2025-49832 (fixed in 18.26.3): DoS/RCE in res_stir_shaken
  • CVE-2025-47779 (fixed in 18.26.2): identity forging via malformed From header
  • CVE-2025-1131 (fixed in 18.26.3): local privilege escalation via safe_asterisk
  • CVE-2025-54995 (fixed in 18.26.4): resource exhaustion via RTP port leak

Also fixes F44FailsToInstall for asterisk-snmp (BZ#2433748).

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2026-38d71393c1

This update has been submitted for testing by peter.

2 months ago

This update's test gating status has been changed to 'ignored'.

2 months ago

This update has been pushed to testing.

a month ago

This update can be pushed to stable now if the maintainer wishes

a month ago

This update has been submitted for stable by peter.

a month ago

This update has been pushed to stable.

a month ago

Please log in to add feedback.

Metadata
Type
security
Severity
urgent
Karma
0
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 months ago
in testing
a month ago
in stable
a month ago
approved
a month ago
Builds
1
asterisk-18.26.4-1.fc44
BZ#2076245 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]
0
0
BZ#2150945 CVE-2022-42705 asterisk: Use after free in res_pjsip_pubsub.c [fedora-all]
0
0
BZ#2150951 CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]
0
0
BZ#2254627 TRIAGE CVE-2023-37457 asterisk: potential buffer overflow in PJSIP_HEADER dialplan function [fedora-all]
0
0
BZ#2254632 TRIAGE CVE-2023-49294 asterisk: access to arbitrary files via directory traversal [fedora-all]
0
0
BZ#2254635 TRIAGE CVE-2023-49786 asterisk: race condition in the hello handshake phase of the DTLS protocol triggers denial of service [fedora-all]
0
0
BZ#2281497 CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests [fedora-all]
0
0
BZ#2303919 CVE-2024-42365 asterisk: Write=originate, is sufficient permissions for code execution / System() dialplan [fedora-all]
0
0
BZ#2310293 CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-39]
0
0
BZ#2310294 CVE-2024-42491 asterisk: A malformed Contact or Record-Route URI in an incoming SIP request can cause crash [fedora-40]
0
0
BZ#2386209 CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-41]
0
0
BZ#2386210 CVE-2025-49832 asterisk: Asterisk SIP Profile Remote Code Execution [fedora-42]
0
0
BZ#2391521 CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-41]
0
0
BZ#2391522 CVE-2025-54995 asterisk: Asterisk resource exhaustion [fedora-42]
0
0
BZ#2395449 CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]
0
0
BZ#2395450 CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]
0
0
BZ#2397958 CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
0
0
BZ#2397959 CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-41]
0
0
BZ#2397961 CVE-2025-1131 asterisk: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
0
0
BZ#2397962 CVE-2025-1131 asterisk-sounds-core: Asterisk Unsafe Shell Sourcing Leads to Local Privilege Escalation [fedora-42]
0
0
BZ#2433748 F44FailsToInstall: asterisk-snmp
0
0
asterisk-18.26.4-1.fc44

Automated Test Results

Copyright © 2007-2026 Red Hat, Inc. and others.

Running bodhi-server 26.4.0 on bodhi-web-79764b86cc-6m5q2.

bodhi is Free Software. Please file issues if you have any problems. Read the documentation.

Composes Legal Privacy policy