Bug#1134884: asterisk: CVE-2025-65102 CVE-2026-25994 CVE-2026-41415 CVE-2026-40614 CVE-2026-40892 CVE-2026-41416 CVE-2026-26203 CVE-2026-26967 CVE-2026-32942 CVE-2026-28799 CVE-2026-29068 CVE-2026-32945 CVE-2026-33069 CVE-2026-34235

Jonas Smedegaard jonas at jones.dk
Wed Apr 29 13:25:10 BST 2026 

Quoting Rob van der Putten via Pkg-voip-maintainers (2026-04-29 14:15:35)
> On 28/04/2026 20:49, Jonas Smedegaard wrote:
> 
> > Hi Chris,
> > 
> > Quoting Chris Maj via Pkg-voip-maintainers (2026-04-28 18:06:22)
> >> Howdy,
> >>
> >> Hope you are doing well Jonas and VoiP team!
> > 
> > Yes, thank you. Hope you are doing well too.
> > 
> >> ASTERISK included patches upstream for PJSIP 2.16 issues � as Rob
> >> mentioned � and it does not use the affected parts of PJSIP 2.17 as
> >> referenced by Moritz.
> > 
> > I am aware that Asterisk upstream embeds PJSIP and applies patches on
> > top of that.
> > 
> > I am not sure, however, whether the Debian packaging of Asterisk has
> > those same patches applied or not.
> > 
> > It seems to me that both Rob and you are assuming that Debian source is
> > same as Asterisk upstream source.
> 
> I backported Asterisk from SID on a Debian 12 / Bookworm system. First 
> 22.8.2 and now 22.9.0. And the phones work just fine.
> I like to have a plan B, so besides Debian style build stuff, I have 
> 'Sangoma style' build stuff as well. So I can do a backport to Debian 12 
> and also download the source from the Asterisk site and then do a 
> configure, make menuconfig and make as well. And then compare the 
> relevant files after patch.
> 
> Unless I'm mistaken, the patches are in 'third-party/pjproject/patches'. 
> These concern the following files:
> aconfigure
> aconfigure.ac
> build.mak.in
> pjlib/include/pj/os.h
> pjnath/src/pjnath/ice_session.c
> pjsip/src/pjsip-simple/evsub.c
> pjsip/src/pjsip/sip_multipart.c
> 
> If the sources are identical and the patches are identical and the 
> patches are applied in the same way, then the files after patch should 
> be identical as well. And a diff between the two versions of the same 
> files should show no result whatsoever.
> This is indeed the case. So my assumption seems to be correct.

Thanks for diving in.

If you are confident that this bug is solved, then please close it.

What I mean by that is please take responsibility: We need more people
than just me taking responsibility for maintaining Asterisk in Debian.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

More information about the Pkg-voip-maintainers mailing list