Bug#1134884: asterisk: CVE-2025-65102 CVE-2026-25994 CVE-2026-41415 CVE-2026-40614 CVE-2026-40892 CVE-2026-41416 CVE-2026-26203 CVE-2026-26967 CVE-2026-32942 CVE-2026-28799 CVE-2026-29068 CVE-2026-32945 CVE-2026-33069 CVE-2026-34235

Thu Apr 30 09:57:54 BST 2026

Hi there

On 29/04/2026 14:25, Jonas Smedegaard wrote:

> Quoting Rob van der Putten via Pkg-voip-maintainers (2026-04-29 14:15:35)
>> On 28/04/2026 20:49, Jonas Smedegaard wrote:
>>
>>> Hi Chris,
>>>
>>> Quoting Chris Maj via Pkg-voip-maintainers (2026-04-28 18:06:22)
>>>> Howdy,
>>>>
>>>> Hope you are doing well Jonas and VoiP team!
>>>
>>> Yes, thank you. Hope you are doing well too.
>>>
>>>> ASTERISK included patches upstream for PJSIP 2.16 issues � as Rob
>>>> mentioned � and it does not use the affected parts of PJSIP 2.17 as
>>>> referenced by Moritz.
>>>
>>> I am aware that Asterisk upstream embeds PJSIP and applies patches on
>>> top of that.
>>>
>>> I am not sure, however, whether the Debian packaging of Asterisk has
>>> those same patches applied or not.
>>>
>>> It seems to me that both Rob and you are assuming that Debian source is
>>> same as Asterisk upstream source.
>>
>> I backported Asterisk from SID on a Debian 12 / Bookworm system. First
>> 22.8.2 and now 22.9.0. And the phones work just fine.
>> I like to have a plan B, so besides Debian style build stuff, I have
>> 'Sangoma style' build stuff as well. So I can do a backport to Debian 12
>> and also download the source from the Asterisk site and then do a
>> configure, make menuconfig and make as well. And then compare the
>> relevant files after patch.
>>
>> Unless I'm mistaken, the patches are in 'third-party/pjproject/patches'.
>> These concern the following files:
>> aconfigure
>> aconfigure.ac
>> build.mak.in
>> pjlib/include/pj/os.h
>> pjnath/src/pjnath/ice_session.c
>> pjsip/src/pjsip-simple/evsub.c
>> pjsip/src/pjsip/sip_multipart.c
>>
>> If the sources are identical and the patches are identical and the
>> patches are applied in the same way, then the files after patch should
>> be identical as well. And a diff between the two versions of the same
>> files should show no result whatsoever.
>> This is indeed the case. So my assumption seems to be correct.
> 
> Thanks for diving in.
> 
> If you are confident that this bug is solved, then please close it.

I'm confident enough to actually use the software.
I'm not a maintainer, but if I understand correctly, it is customary for 
either the maintainer or the reporter to close the bug.
Perhaps Moritz can confirm my findings and then close the bug for 
Asterisk 22.9.0.

> What I mean by that is please take responsibility: We need more people
> than just me taking responsibility for maintaining Asterisk in Debian.
This is absolutely clear.

Regards,
Rob