Bug#1134884: asterisk: CVE-2025-65102 CVE-2026-25994 CVE-2026-41415 CVE-2026-40614 CVE-2026-40892 CVE-2026-41416 CVE-2026-26203 CVE-2026-26967 CVE-2026-32942 CVE-2026-28799 CVE-2026-29068 CVE-2026-32945 CVE-2026-33069 CVE-2026-34235

[Rob van der Putten]

Hi there


On 28/04/2026 20:49, Jonas Smedegaard wrote:

> Hi Chris,
> 
> Quoting Chris Maj via Pkg-voip-maintainers (2026-04-28 18:06:22)
>> Howdy,
>>
>> Hope you are doing well Jonas and VoiP team!
> 
> Yes, thank you. Hope you are doing well too.
> 
>> ASTERISK included patches upstream for PJSIP 2.16 issues � as Rob
>> mentioned � and it does not use the affected parts of PJSIP 2.17 as
>> referenced by Moritz.
> 
> I am aware that Asterisk upstream embeds PJSIP and applies patches on
> top of that.
> 
> I am not sure, however, whether the Debian packaging of Asterisk has
> those same patches applied or not.
> 
> It seems to me that both Rob and you are assuming that Debian source is
> same as Asterisk upstream source.

I backported Asterisk from SID on a Debian 12 / Bookworm system. First 
22.8.2 and now 22.9.0. And the phones work just fine.
I like to have a plan B, so besides Debian style build stuff, I have 
'Sangoma style' build stuff as well. So I can do a backport to Debian 12 
and also download the source from the Asterisk site and then do a 
configure, make menuconfig and make as well. And then compare the 
relevant files after patch.

Unless I'm mistaken, the patches are in 'third-party/pjproject/patches'. 
These concern the following files:
aconfigure
aconfigure.ac
build.mak.in
pjlib/include/pj/os.h
pjnath/src/pjnath/ice_session.c
pjsip/src/pjsip-simple/evsub.c
pjsip/src/pjsip/sip_multipart.c

If the sources are identical and the patches are identical and the 
patches are applied in the same way, then the files after patch should 
be identical as well. And a diff between the two versions of the same 
files should show no result whatsoever.
This is indeed the case. So my assumption seems to be correct.

Hope this helps.


Regards,
Rob