Update for 18.26.3

2025-09-02 11:06:31 +00:00 · 2025-07-31 16:30:17 +00:00
parent 96cf832bca
commit 544aceb34f
6 changed files with 168 additions and 4 deletions
--- a/.version
+++ b/.version
@@ -1 +1 @@
-18.26.2
+18.26.3
--- a/CHANGES.html
+++ b/CHANGES.html
@@ -1 +1 @@
-ChangeLogs/ChangeLog-18.26.2.html
+ChangeLogs/ChangeLog-18.26.3.html
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1 +1 @@
-ChangeLogs/ChangeLog-18.26.2.md
+ChangeLogs/ChangeLog-18.26.3.md
--- a/ChangeLogs/ChangeLog-18.26.3.html
+++ b/ChangeLogs/ChangeLog-18.26.3.html
@@ -0,0 +1,78 @@
+<html><head><title>ChangeLog for asterisk-18.26.3</title></head><body>
+<h2>Change Log for Release asterisk-18.26.3</h2>
+<h3>Links:</h3>
+<ul>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.26.3.html">Full ChangeLog</a>  </li>
+<li><a href="https://github.com/asterisk/asterisk/compare/18.26.2...18.26.3">GitHub Diff</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-18.26.3.tar.gz">Tarball</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk">Downloads</a>  </li>
+</ul>
+<h3>Summary:</h3>
+<ul>
+<li>Commits: 2</li>
+<li>Commit Authors: 2</li>
+<li>Issues Resolved: 0</li>
+<li>Security Advisories Resolved: 2</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr">GHSA-mrq5-74j5-f5cr</a>: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp">GHSA-v9q8-9j8m-5xwp</a>: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.</li>
+</ul>
+<h3>User Notes:</h3>
+<h3>Upgrade Notes:</h3>
+<ul>
+<li>
+<h4>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</h4>
+  The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.</li>
+</ul>
+<h3>Developer Notes:</h3>
+<h3>Commit Authors:</h3>
+<ul>
+<li>George Joseph: (1)</li>
+<li>ThatTotallyRealMyth: (1)</li>
+</ul>
+<h2>Issue and Commit Detail:</h2>
+<h3>Closed Issues:</h3>
+<ul>
+<li>!GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c</li>
+<li>!GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.</li>
+</ul>
+<h3>Commits By Author:</h3>
+<ul>
+<li>
+<h4>George Joseph (1):</h4>
+</li>
+<li>
+<p>res_stir_shaken: Test for missing semicolon in Identity header.</p>
+</li>
+<li>
+<h4>ThatTotallyRealMyth (1):</h4>
+</li>
+<li>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</li>
+</ul>
+<h3>Commit List:</h3>
+<ul>
+<li>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</li>
+<li>res_stir_shaken: Test for missing semicolon in Identity header.</li>
+</ul>
+<h3>Commit Details:</h3>
+<h4>safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.</h4>
+<p>Author: ThatTotallyRealMyth
+  Date:   2025-06-10</p>
+<p>UpgradeNote: The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.</p>
+<p>Resolves: #GHSA-v9q8-9j8m-5xwp</p>
+<h4>res_stir_shaken: Test for missing semicolon in Identity header.</h4>
+<p>Author: George Joseph
+  Date:   2025-07-31</p>
+<p>ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
+  the Identity header to prevent a possible segfault.</p>
+<p>Resolves: #GHSA-mrq5-74j5-f5cr</p>
+</body></html>
--- a/ChangeLogs/ChangeLog-18.26.3.md
+++ b/ChangeLogs/ChangeLog-18.26.3.md
@@ -0,0 +1,86 @@
+
+## Change Log for Release asterisk-18.26.3
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.26.3.html)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/18.26.2...18.26.3)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-18.26.3.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 2
+- Commit Authors: 2
+- Issues Resolved: 0
+- Security Advisories Resolved: 2
+  - [GHSA-mrq5-74j5-f5cr](https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr): Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
+  - [GHSA-v9q8-9j8m-5xwp](https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp): Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
+
+### User Notes:
+
+
+### Upgrade Notes:
+
+- #### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.  
+  The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.
+
+
+### Developer Notes:
+
+
+### Commit Authors:
+
+- George Joseph: (1)
+- ThatTotallyRealMyth: (1)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
+  - !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.
+
+### Commits By Author:
+
+- #### George Joseph (1):
+  - res_stir_shaken: Test for missing semicolon in Identity header.
+
+- #### ThatTotallyRealMyth (1):
+  - safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+
+
+### Commit List:
+
+-  safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+-  res_stir_shaken: Test for missing semicolon in Identity header.
+
+### Commit Details:
+
+#### safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
+  Author: ThatTotallyRealMyth
+  Date:   2025-06-10
+
+  UpgradeNote: The safe_asterisk script now checks that, if it was run by the
+  root user, the /etc/asterisk/startup.d directory and all the files it contains
+  are owned by root.  If the checks fail, safe_asterisk will exit with an error
+  and Asterisk will not be started.  Additionally, the default logging
+  destination is now stderr instead of tty "9" which probably won't exist
+  in modern systems.
+
+  Resolves: #GHSA-v9q8-9j8m-5xwp
+
+#### res_stir_shaken: Test for missing semicolon in Identity header.
+  Author: George Joseph
+  Date:   2025-07-31
+
+  ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
+  the Identity header to prevent a possible segfault.
+
+  Resolves: #GHSA-mrq5-74j5-f5cr
+
--- a/README.html
+++ b/README.html
@@ -1,4 +1,4 @@
-<html><head><title>Readme for asterisk-18.26.2</title></head><body>
+<html><head><title>Readme for asterisk-18.26.3</title></head><body>
 <h1>The Asterisk(R) Open Source PBX</h1>
 <pre><code class="language-text">        By Mark Spencer &lt;markster@digium.com&gt; and the Asterisk.org developer community.
        Copyright (C) 2001-2021 Sangoma Technologies Corporation and other copyright holders.
@@ -1 +1 @@
 .26.2
 .26.3