Skip to content

Asterisk

Communication & Email

Open source PBX and telephony toolkit connecting VoIP, PSTN, and hardware channels to applications

Track releases GitHub Website
C Latest certified-18.9-cert18 · 1mo ago Security brief →

Features

  • Supports SIP/VoIP and traditional PSTN interfaces
  • Works with a wide range of telephony hardware (Sangoma cards, sound cards via PortAudio, Xorcom Astribank)
  • Configurable module selection via menuselect
  • Provides sample PBX configuration for quick testing

Recent releases

View all 44 releases →
certified-18.9-cert18 Bug fix

Fixed missing PLAR support on INVITEs with empty extensions by mapping them to the 's' extension.

Full changelog

The Asterisk Development Team would like to announce
the release of Certified asterisk-18.9-cert18.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert18
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-18.9-cert18

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-18.9-cert18

Links:

Summary:

  • Commits: 1
  • Commit Authors: 1
  • Issues Resolved: 1
  • Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

  • Naveen Albert: (1)

Issue and Commit Detail:

Closed Issues:

  • ASTERISK-30265: res_pjsip_session: Fix missing PLAR support on INVITEs

Commits By Author:

  • Naveen Albert (1):

    • res_pjsip_session.c: Map empty extensions in INVITEs to s.

Commit List:

  • res_pjsip_session.c: Map empty extensions in INVITEs to s.

Commit Details:

res_pjsip_session.c: Map empty extensions in INVITEs to s.

Author: Naveen Albert
Date: 2022-10-17

Some SIP devices use an empty extension for PLAR functionality.

Rather than rejecting these empty extensions, we now use the s
extension for such calls to mirror the existing PLAR functionality
in Asterisk (e.g. chan_dahdi).

ASTERISK-30265 #close

View release on GitHub
certified-22.8-cert2 Security relevant
Security fixes
  • dep: GHSA-j29p-pvh2-pvqp – Buffer overflow in ICE with long username
  • dep: GHSA-8fj4-fv9f-hjpc – Heap use-after-free in PJSIP presence subscription termination header
  • dep: GHSA-g88q-c2hm-q7p7 – ICE session use-after-free race conditions
Full changelog

The Asterisk Development Team would like to announce
the release of Certified asterisk-22.8-cert2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert2
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert2

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-22.8-cert2

Links:

Summary:

  • Commits: 1
  • Commit Authors: 1
  • Issues Resolved: 1
  • Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

  • Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

  • 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

  • Mike Bradeen (1):

    • res_pjsip: Address pjproject security vulnerabilities

Commit List:

  • res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-25

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

View release on GitHub
certified-20.7-cert10 Security relevant
Security fixes
  • dep: GHSA-j29p-pvh2-pvqp – Buffer overflow in ICE with long username
  • dep: GHSA-8fj4-fv9f-hjpc – Heap use‑after‑free in PJSIP presence subscription termination header
  • dep: GHSA-g88q-c2hm-q7p7 – ICE session use‑after‑free race conditions
Full changelog

The Asterisk Development Team would like to announce
the release of Certified asterisk-20.7-cert10.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert10
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert10

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-20.7-cert10

Links:

Summary:

  • Commits: 1
  • Commit Authors: 1
  • Issues Resolved: 1
  • Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

  • Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

  • 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

  • Mike Bradeen (1):

    • res_pjsip: Address pjproject security vulnerabilities

Commit List:

  • res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-24

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

View release on GitHub
21.12.2 Security relevant
Security fixes
  • dep: GHSA-j29p-pvh2-pvqp — Buffer overflow in ICE with long username
  • dep: GHSA-8fj4-fv9f-hjpc — Heap use-after-free in PJSIP presence subscription termination header
  • dep: GHSA-g88q-c2hm-q7p7 — ICE session use-after-free race conditions
Full changelog

The Asterisk Development Team would like to announce
the release of asterisk-21.12.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.2

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-21.12.2

Links:

Summary:

  • Commits: 1
  • Commit Authors: 1
  • Issues Resolved: 1
  • Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

  • Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

  • 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

  • Mike Bradeen (1):

    • res_pjsip: Address pjproject security vulnerabilities

Commit List:

  • res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-25

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

View release on GitHub
23.2.2 Security relevant
⚠ Upgrade required
  • /httpstatus page is now disabled by default; enable it with `enable_status=yes` in http.conf
  • ast_debug_tools.conf must be owned by root and not writable by other users or groups for ast_coredumper, ast_logescalator, and ast_loggrabber
Security fixes
  • GHSA-85x7-54wr-vh42 — xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3 — ast_coredumper sources ast_debug_tools.conf as root, risking privilege escalation
  • GHSA-v6hp-wh3r-cwxh — /httpstatus page echoes user‑supplied values without sanitization (reflected XSS/XXE risk)
Full changelog

The Asterisk Development Team would like to announce security release
Asterisk 23.2.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.2

Change Log for Release asterisk-23.2.2

Links:

Summary:

  • Commits: 4
  • Commit Authors: 2
  • Issues Resolved: 0
  • Security Advisories Resolved: 4
    • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
    • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
    • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
    • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

  • ast_coredumper: check ast_debug_tools.conf permissions

    ast_debug_tools.conf must be owned by root and not be
    writable by other users or groups to be used by ast_coredumper or
    by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

  • http.c: Change httpstatus to default disabled and sanitize output.

    To prevent possible security issues, the /httpstatus page
    served by the internal web server is now disabled by default. To explicitly
    enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

  • George Joseph: (2)
  • Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

  • !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

  • George Joseph (2):

  • Mike Bradeen (2):

Commit List:

  • xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
  • ast_coredumper: check ast_debug_tools.conf permissions
  • http.c: Change httpstatus to default disabled and sanitize output.
  • ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
3,284
Forks
1,250
Languages
C Python Shell
View on GitHub Homepage Documentation

Install & Platforms

Platforms
linux macos

Similar tools

Flexisip
chatwoot
friendica
FusionPBX
SAMA

Beta — feedback welcome: [email protected]