Asterisk releases

The Asterisk Development Team would like to announce
the release of Certified asterisk-18.9-cert18.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert18
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-18.9-cert18

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-18.9-cert18

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Naveen Albert: (1)

Issue and Commit Detail:

Closed Issues:

• ASTERISK-30265: res_pjsip_session: Fix missing PLAR support on INVITEs

Commits By Author:

• Naveen Albert (1):

  • res_pjsip_session.c: Map empty extensions in INVITEs to s.

Commit List:

• res_pjsip_session.c: Map empty extensions in INVITEs to s.

Commit Details:

res_pjsip_session.c: Map empty extensions in INVITEs to s.

Author: Naveen Albert
Date: 2022-10-17

Some SIP devices use an empty extension for PLAR functionality.

Rather than rejecting these empty extensions, we now use the s
extension for such calls to mirror the existing PLAR functionality
in Asterisk (e.g. chan_dahdi).

ASTERISK-30265 #close

The Asterisk Development Team would like to announce
the release of asterisk-23.3.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.3.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.3.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.3.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 50
• Commit Authors: 21
• Issues Resolved: 34
• Security Advisories Resolved: 0

The Asterisk Development Team would like to announce
the release of asterisk-22.9.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.9.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.9.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.9.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 50
• Commit Authors: 21
• Issues Resolved: 34
• Security Advisories Resolved: 0

The Asterisk Development Team would like to announce
the release of asterisk-20.19.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.19.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.19.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.19.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 50
• Commit Authors: 21
• Issues Resolved: 34
• Security Advisories Resolved: 0

The Asterisk Development Team would like to announce
the release of Certified asterisk-22.8-cert2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert2
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert2

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-22.8-cert2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

• 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

• Mike Bradeen (1):

  • res_pjsip: Address pjproject security vulnerabilities

Commit List:

• res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-25

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

The Asterisk Development Team would like to announce
the release of Certified asterisk-20.7-cert10.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert10
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert10

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-20.7-cert10

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

• 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

• Mike Bradeen (1):

  • res_pjsip: Address pjproject security vulnerabilities

Commit List:

• res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-24

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

The Asterisk Development Team would like to announce
the release of asterisk-21.12.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.2

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-21.12.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Mike Bradeen: (1)

Issue and Commit Detail:

Closed Issues:

• 1833: [bug]: Address security vulnerabilities in pjproject

Commits By Author:

• Mike Bradeen (1):

  • res_pjsip: Address pjproject security vulnerabilities

Commit List:

• res_pjsip: Address pjproject security vulnerabilities

Commit Details:

res_pjsip: Address pjproject security vulnerabilities

Author: Mike Bradeen
Date: 2026-03-25

Address the following pjproject security vulnerabilities

GHSA-j29p-pvh2-pvqp - Buffer overflow in ICE with long username
GHSA-8fj4-fv9f-hjpc - Heap use-after-free in PJSIP presense subscription termination header
GHSA-g88q-c2hm-q7p7 - ICE session use-after-free race conditions
GHSA-x5pq-qrp4-fmrj - Out-of-bounds read in SIP multipart parsing

Resolves: #1833

The Asterisk Development Team would like to announce
the release of Certified asterisk-22.8-cert1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-22.8-cert1
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-22.8-cert1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-22.8-cert1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 853
• Commit Authors: 110
• Issues Resolved: 590
• Security Advisories Resolved: 13

The Asterisk Development Team would like to announce security release
Asterisk 23.2.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.2

Change Log for Release asterisk-23.2.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Asterisk 21.12.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.1

Change Log for Release asterisk-21.12.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Asterisk 22.8.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.2

Change Log for Release asterisk-22.8.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Asterisk 20.18.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.2

Change Log for Release asterisk-20.18.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert9.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert9
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert9

Change Log for Release asterisk-certified-20.7-cert9

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce
the release of asterisk-23.2.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.2.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Sean Bright: (1)

Issue and Commit Detail:

Closed Issues:

• 1739: [bug]: Regression in 23.2.0 with regard to parsing fractional numbers when system locale is non-standard

Commits By Author:

• Sean Bright (1):

Commit List:

• asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Commit Details:

asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Author: Sean Bright
Date: 2026-01-23

Resolves: #1739

The Asterisk Development Team would like to announce
the release of asterisk-22.8.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.8.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Sean Bright: (1)

Issue and Commit Detail:

Closed Issues:

• 1739: [bug]: Regression in 23.2.0 with regard to parsing fractional numbers when system locale is non-standard

Commits By Author:

• Sean Bright (1):

Commit List:

• asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Commit Details:

asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Author: Sean Bright
Date: 2026-01-23

Resolves: #1739

The Asterisk Development Team would like to announce
the release of asterisk-20.18.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.18.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Sean Bright: (1)

Issue and Commit Detail:

Closed Issues:

• 1739: [bug]: Regression in 23.2.0 with regard to parsing fractional numbers when system locale is non-standard

Commits By Author:

• Sean Bright (1):

Commit List:

• asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Commit Details:

asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Author: Sean Bright
Date: 2026-01-23

Resolves: #1739

The Asterisk Development Team would like to announce
the release of asterisk-23.2.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.2.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 58
• Commit Authors: 20
• Issues Resolved: 41
• Security Advisories Resolved: 0

User Notes:

• chan_websocket.conf.sample: Fix category name.

  The category name in the chan_websocket.conf.sample file was
  incorrect. It should be "global" instead of "general".

• cli.c: Allow 'channel request hangup' to accept patterns.

  The 'channel request hangup' CLI command now accepts
  multiple channel names, POSIX Extended Regular Expressions, glob-like
  patterns, or a combination of all of them. See the CLI command 'core
  show help channel request hangup' for full details.

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

• res_pjsip_messaging: Add support for following 3xx redirects

  A new pjsip endpoint option follow_redirect_methods was added.
  This option is a comma-delimited, case-insensitive list of SIP methods
  for which SIP 3XX redirect responses are followed. An alembic upgrade
  script has been added for adding this new option to the Asterisk
  database.

• taskprocessors: Improve logging and add new cli options

  New CLI command has been added -
  core show taskprocessor name

• ccss: Add option to ccss.conf to globally disable it.

  A new "enabled" parameter has been added to ccss.conf. It defaults
  to "yes" to preserve backwards compatibility but CCSS is rarely used so
  setting "enabled = no" in the "general" section can save some unneeded channel
  locking operations and log message spam. Disabling ccss will also prevent
  the func_callcompletion and chan_dahdi modules from loading.

• Makefile: Add module-list-* targets.

  Try "make module-list-deprecated" to see what modules
  are on their way out the door.

• app_mixmonitor: Add 's' (skip) option to delay recording.

  This change introduces a new 's()' (skip) option to the MixMonitor
  application. Example:
  MixMonitor(${UNIQUEID}.wav,s(3))
  This skips recording for the first 3 seconds before writing audio to the file.
  Existing MixMonitor behavior remains unchanged when the 's' option is not used.

• app_queue.c: Only announce to head caller if announce_to_first_user

  When announce_to_first_user is false, no announcements are played to the head caller

Upgrade Notes:

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:

  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

• pjsip: Move from threadpool to taskpool

  The threadpool_* options in pjsip.conf have now
  been deprecated though they continue to be read and used.
  They have been replaced with taskpool options that give greater
  control over the underlying taskpool used for PJSIP. An alembic
  upgrade script has been added to add these options to realtime
  as well.

• app_directed_pickup.c: Change some log messages from NOTICE to VERBOSE.

  In an effort to reduce log spam, two normal progress
  "pickup attempted" log messages from app_directed_pickup have been changed
  from NOTICE to VERBOSE(3). This puts them on par with other normal
  dialplan progress messages.

Developer Notes:

• ccss: Add option to ccss.conf to globally disable it.

  A new API ast_is_cc_enabled() has been added. It should be
  used to ensure that CCSS is enabled before making any other ast_cc_* calls.

• chan_websocket: Add ability to place a MARK in the media stream.

  Apps can now send a MARK_MEDIA command with an optional
  correlation_id parameter to chan_websocket which will be placed in the
  media frame queue. When that frame is dequeued after all intervening media
  has been played to the core, chan_websocket will send a
  MEDIA_MARK_PROCESSED event to the app with the same correlation_id
  (if any).

• chan_websocket: Add capability for JSON control messages and events.

  The chan_websocket plain-text control and event messages are now
  deprecated (but remain the default) in favor of JSON formatted messages.
  See https://docs.asterisk.org/Configuration/Channel-Drivers/WebSocket for
  more information.
  A "transport_data" parameter has been added to the

Commit Authors:

• Alexei Gradinari: (1)
• C. Maj: (1)
• Daouda Taha: (1)
• George Joseph: (12)
• Joe Garlick: (2)
• Joshua C. Colp: (1)
• Justin T. Gibbs: (1)
• Kristian F. Høgh: (1)
• Maximilian Fridrich: (2)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Nathaniel Wesley Filardo: (1)
• Naveen Albert: (4)
• Paul Donald: (1)
• Peter Krall: (1)
• Sean Bright: (17)
• Sven Kube: (1)
• Tinet-mucw: (2)
• phoneben: (5)
• sarangr7: (1)

The Asterisk Development Team would like to announce
the release of asterisk-22.8.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.8.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 57
• Commit Authors: 19
• Issues Resolved: 40
• Security Advisories Resolved: 0

User Notes:

• chan_websocket.conf.sample: Fix category name.

  The category name in the chan_websocket.conf.sample file was
  incorrect. It should be "global" instead of "general".

• cli.c: Allow 'channel request hangup' to accept patterns.

  The 'channel request hangup' CLI command now accepts
  multiple channel names, POSIX Extended Regular Expressions, glob-like
  patterns, or a combination of all of them. See the CLI command 'core
  show help channel request hangup' for full details.

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

• res_pjsip_messaging: Add support for following 3xx redirects

  A new pjsip endpoint option follow_redirect_methods was added.
  This option is a comma-delimited, case-insensitive list of SIP methods
  for which SIP 3XX redirect responses are followed. An alembic upgrade
  script has been added for adding this new option to the Asterisk
  database.

• taskprocessors: Improve logging and add new cli options

  New CLI command has been added -
  core show taskprocessor name

• ccss: Add option to ccss.conf to globally disable it.

  A new "enabled" parameter has been added to ccss.conf. It defaults
  to "yes" to preserve backwards compatibility but CCSS is rarely used so
  setting "enabled = no" in the "general" section can save some unneeded channel
  locking operations and log message spam. Disabling ccss will also prevent
  the func_callcompletion and chan_dahdi modules from loading.

• Makefile: Add module-list-* targets.

  Try "make module-list-deprecated" to see what modules
  are on their way out the door.

• app_mixmonitor: Add 's' (skip) option to delay recording.

  This change introduces a new 's()' (skip) option to the MixMonitor
  application. Example:
  MixMonitor(${UNIQUEID}.wav,s(3))
  This skips recording for the first 3 seconds before writing audio to the file.
  Existing MixMonitor behavior remains unchanged when the 's' option is not used.

• app_queue.c: Only announce to head caller if announce_to_first_user

  When announce_to_first_user is false, no announcements are played to the head caller

Upgrade Notes:

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:

  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

• pjsip: Move from threadpool to taskpool

  The threadpool_* options in pjsip.conf have now
  been deprecated though they continue to be read and used.
  They have been replaced with taskpool options that give greater
  control over the underlying taskpool used for PJSIP. An alembic
  upgrade script has been added to add these options to realtime
  as well.

• app_directed_pickup.c: Change some log messages from NOTICE to VERBOSE.

  In an effort to reduce log spam, two normal progress
  "pickup attempted" log messages from app_directed_pickup have been changed
  from NOTICE to VERBOSE(3). This puts them on par with other normal
  dialplan progress messages.

Developer Notes:

• ccss: Add option to ccss.conf to globally disable it.

  A new API ast_is_cc_enabled() has been added. It should be
  used to ensure that CCSS is enabled before making any other ast_cc_* calls.

• chan_websocket: Add ability to place a MARK in the media stream.

  Apps can now send a MARK_MEDIA command with an optional
  correlation_id parameter to chan_websocket which will be placed in the
  media frame queue. When that frame is dequeued after all intervening media
  has been played to the core, chan_websocket will send a
  MEDIA_MARK_PROCESSED event to the app with the same correlation_id
  (if any).

• chan_websocket: Add capability for JSON control messages and events.

  The chan_websocket plain-text control and event messages are now
  deprecated (but remain the default) in favor of JSON formatted messages.
  See https://docs.asterisk.org/Configuration/Channel-Drivers/WebSocket for
  more information.
  A "transport_data" parameter has been added to the

Commit Authors:

• Alexei Gradinari: (1)
• C. Maj: (1)
• Daouda Taha: (1)
• George Joseph: (12)
• Joe Garlick: (2)
• Joshua C. Colp: (1)
• Justin T. Gibbs: (1)
• Kristian F. Høgh: (1)
• Maximilian Fridrich: (2)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Nathaniel Wesley Filardo: (1)
• Naveen Albert: (4)
• Peter Krall: (1)
• Sean Bright: (17)
• Sven Kube: (1)
• Tinet-mucw: (2)
• phoneben: (5)
• sarangr7: (1)

The Asterisk Development Team would like to announce
the release of asterisk-20.18.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.18.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 57
• Commit Authors: 20
• Issues Resolved: 40
• Security Advisories Resolved: 0

User Notes:

• chan_websocket.conf.sample: Fix category name.

  The category name in the chan_websocket.conf.sample file was
  incorrect. It should be "global" instead of "general".

• cli.c: Allow 'channel request hangup' to accept patterns.

  The 'channel request hangup' CLI command now accepts
  multiple channel names, POSIX Extended Regular Expressions, glob-like
  patterns, or a combination of all of them. See the CLI command 'core
  show help channel request hangup' for full details.

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

• res_pjsip_messaging: Add support for following 3xx redirects

  A new pjsip endpoint option follow_redirect_methods was added.
  This option is a comma-delimited, case-insensitive list of SIP methods
  for which SIP 3XX redirect responses are followed. An alembic upgrade
  script has been added for adding this new option to the Asterisk
  database.

• taskprocessors: Improve logging and add new cli options

  New CLI command has been added -
  core show taskprocessor name

• ccss: Add option to ccss.conf to globally disable it.

  A new "enabled" parameter has been added to ccss.conf. It defaults
  to "yes" to preserve backwards compatibility but CCSS is rarely used so
  setting "enabled = no" in the "general" section can save some unneeded channel
  locking operations and log message spam. Disabling ccss will also prevent
  the func_callcompletion and chan_dahdi modules from loading.

• Makefile: Add module-list-* targets.

  Try "make module-list-deprecated" to see what modules
  are on their way out the door.

• app_mixmonitor: Add 's' (skip) option to delay recording.

  This change introduces a new 's()' (skip) option to the MixMonitor
  application. Example:
  MixMonitor(${UNIQUEID}.wav,s(3))
  This skips recording for the first 3 seconds before writing audio to the file.
  Existing MixMonitor behavior remains unchanged when the 's' option is not used.

• app_queue.c: Only announce to head caller if announce_to_first_user

  When announce_to_first_user is false, no announcements are played to the head caller

Upgrade Notes:

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:

  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

• pjsip: Move from threadpool to taskpool

  The threadpool_* options in pjsip.conf have now
  been deprecated though they continue to be read and used.
  They have been replaced with taskpool options that give greater
  control over the underlying taskpool used for PJSIP. An alembic
  upgrade script has been added to add these options to realtime
  as well.

• app_directed_pickup.c: Change some log messages from NOTICE to VERBOSE.

  In an effort to reduce log spam, two normal progress
  "pickup attempted" log messages from app_directed_pickup have been changed
  from NOTICE to VERBOSE(3). This puts them on par with other normal
  dialplan progress messages.

Developer Notes:

• ccss: Add option to ccss.conf to globally disable it.

  A new API ast_is_cc_enabled() has been added. It should be
  used to ensure that CCSS is enabled before making any other ast_cc_* calls.

• chan_websocket: Add ability to place a MARK in the media stream.

  Apps can now send a MARK_MEDIA command with an optional
  correlation_id parameter to chan_websocket which will be placed in the
  media frame queue. When that frame is dequeued after all intervening media
  has been played to the core, chan_websocket will send a
  MEDIA_MARK_PROCESSED event to the app with the same correlation_id
  (if any).

• chan_websocket: Add capability for JSON control messages and events.

  The chan_websocket plain-text control and event messages are now
  deprecated (but remain the default) in favor of JSON formatted messages.
  See https://docs.asterisk.org/Configuration/Channel-Drivers/WebSocket for
  more information.
  A "transport_data" parameter has been added to the

Commit Authors:

• Alexei Gradinari: (1)
• C. Maj: (1)
• Daouda Taha: (1)
• Etienne Lessard: (1)
• George Joseph: (12)
• Joe Garlick: (2)
• Joshua C. Colp: (1)
• Justin T. Gibbs: (1)
• Kristian F. Høgh: (1)
• Maximilian Fridrich: (2)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Nathaniel Wesley Filardo: (1)
• Naveen Albert: (3)
• Peter Krall: (1)
• Sean Bright: (17)
• Sven Kube: (1)
• Tinet-mucw: (2)
• phoneben: (5)
• sarangr7: (1)

The Asterisk Development Team would like to announce
the release of Certified asterisk-20.7-cert8.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert8
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert8

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-20.7-cert8

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 7
• Commit Authors: 3
• Issues Resolved: 7
• Security Advisories Resolved: 0

User Notes:

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

Upgrade Notes:

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:
  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

Developer Notes:

Commit Authors:

• George Joseph: (4)
• Mike Bradeen: (2)
• Sean Bright: (1)

The Asterisk Development Team would like to announce
the release of asterisk-22.7.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.7.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.7.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.7.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 52
• Commit Authors: 16
• Issues Resolved: 36
• Security Advisories Resolved: 0

User Notes:

• res_stir_shaken: Add STIR_SHAKEN_ATTESTATION dialplan function.

  The STIR_SHAKEN_ATTESTATION dialplan function has been added
  which will allow suppressing attestation on a call-by-call basis
  regardless of the profile attached to the outgoing endpoint.

• func_channel: Allow R/W of ADSI CPE capability setting.

  CHANNEL(adsicpe) can now be read or written to change
  the channels' ADSI CPE capability setting.

• func_hangupcause.c: Add access to Reason headers via HANGUPCAUSE()

  Added a new option to HANGUPCAUSE to access additional
  information about hangup reason. Reason headers from pjsip
  could be read using 'tech_extended' cause type.

• func_math: Add DIGIT_SUM function.

  The DIGIT_SUM function can be used to return the digit sum of
  a number.

• app_sf: Add post-digit timer option to ReceiveSF.

  The 't' option for ReceiveSF now allows for a timer since
  the last digit received, in addition to the number-wide timeout.

• app_dial: Allow fractional seconds for dial timeouts.

  The answer and progress dial timeouts now have millisecond
  precision, instead of having to be whole numbers.

• chan_dahdi: Add DAHDI_CHANNEL function.

  The DAHDI_CHANNEL function allows for getting/setting
  certain properties about DAHDI channels from the dialplan.

Upgrade Notes:

• app_queue.c: Fix error in Queue parameter documentation.

  As part of Asterisk 21, macros were removed from Asterisk.
  This resulted in argument order changing for the Queue dialplan
  application since the macro argument was removed. Upgrade notice was
  missed when this was done, so this upgrade note has been added to
  provide a record of such and a notice to users who may have not upgraded
  yet.

• res_audiosocket: add message types for all slin sample rates

  New audiosocket message types 0x11 - 0x18 has been added
  for slin12, slin16, slin24, slin32, slin44, slin48, slin96, and
  slin192 audio. External applications using audiosocket may need to be
  updated to support these message types if the audiosocket channel is
  created with one of these audio formats.

• taskpool: Add taskpool API, switch Stasis to using it.

  The threadpool_* options in stasis.conf have now been deprecated
  though they continue to be read and used. They have been replaced with taskpool
  options that give greater control over the underlying taskpool used for stasis.

Developer Notes:

• chan_pjsip: Add technology-specific off-nominal hangup cause to events.

  A "tech_cause" parameter has been added to the
  ChannelHangupRequest and ChannelDestroyed ARI event messages and a "TechCause"
  parameter has been added to the HangupRequest, SoftHangupRequest and Hangup
  AMI event messages. For chan_pjsip, these will be set to the last SIP
  response status code for off-nominally terminated calls. The parameter is
  suppressed for nominal termination.

• ARI: The bridges play and record APIs now handle sample rates > 8K correctly.

  The ARI /bridges/play and /bridges/record REST APIs have new
  parameters that allow the caller to specify the format to be used on the
  "Announcer" and "Recorder" channels respecitvely.

• taskpool: Add taskpool API, switch Stasis to using it.

  The taskpool API has been added for common usage of a
  pool of taskprocessors. It is suggested to use this API instead of the
  threadpool+taskprocessor approach.

Commit Authors:

• Anthony Minessale: (1)
• Bastian Triller: (1)
• Ben Ford: (2)
• Christoph Moench-Tegeder: (1)
• George Joseph: (9)
• Igor Goncharovsky: (1)
• Joshua C. Colp: (6)
• Max Grobecker: (1)
• Nathan Monfils: (1)
• Naveen Albert: (18)
• Roman Pertsev: (1)
• Sean Bright: (3)
• Sven Kube: (3)
• Tinet-mucw: (1)
• gauravs456: (1)
• phoneben: (2)

The Asterisk Development Team would like to announce
the release of asterisk-21.12.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-21.12.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 20
• Commit Authors: 10
• Issues Resolved: 13
• Security Advisories Resolved: 0

User Notes:

• func_hangupcause.c: Add access to Reason headers via HANGUPCAUSE()

  Added a new option to HANGUPCAUSE to access additional
  information about hangup reason. Reason headers from pjsip
  could be read using 'tech_extended' cause type.

• chan_dahdi: Add DAHDI_CHANNEL function.

  The DAHDI_CHANNEL function allows for getting/setting
  certain properties about DAHDI channels from the dialplan.

Upgrade Notes:

• res_audiosocket: add message types for all slin sample rates

  New audiosocket message types 0x11 - 0x18 has been added
  for slin12, slin16, slin24, slin32, slin44, slin48, slin96, and
  slin192 audio. External applications using audiosocket may need to be
  updated to support these message types if the audiosocket channel is
  created with one of these audio formats.

Developer Notes:

Commit Authors:

• Bastian Triller: (1)
• Ben Ford: (1)
• George Joseph: (4)
• Igor Goncharovsky: (1)
• Max Grobecker: (1)
• Nathan Monfils: (1)
• Naveen Albert: (4)
• Sean Bright: (3)
• Sven Kube: (3)
• phoneben: (1)

The Asterisk Development Team would like to announce
the release of asterisk-23.1.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.1.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.1.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.1.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 53
• Commit Authors: 17
• Issues Resolved: 37
• Security Advisories Resolved: 0

User Notes:

• res_stir_shaken: Add STIR_SHAKEN_ATTESTATION dialplan function.

  The STIR_SHAKEN_ATTESTATION dialplan function has been added
  which will allow suppressing attestation on a call-by-call basis
  regardless of the profile attached to the outgoing endpoint.

• func_channel: Allow R/W of ADSI CPE capability setting.

  CHANNEL(adsicpe) can now be read or written to change
  the channels' ADSI CPE capability setting.

• func_hangupcause.c: Add access to Reason headers via HANGUPCAUSE()

  Added a new option to HANGUPCAUSE to access additional
  information about hangup reason. Reason headers from pjsip
  could be read using 'tech_extended' cause type.

• func_math: Add DIGIT_SUM function.

  The DIGIT_SUM function can be used to return the digit sum of
  a number.

• app_sf: Add post-digit timer option to ReceiveSF.

  The 't' option for ReceiveSF now allows for a timer since
  the last digit received, in addition to the number-wide timeout.

• app_dial: Allow fractional seconds for dial timeouts.

  The answer and progress dial timeouts now have millisecond
  precision, instead of having to be whole numbers.

• chan_dahdi: Add DAHDI_CHANNEL function.

  The DAHDI_CHANNEL function allows for getting/setting
  certain properties about DAHDI channels from the dialplan.

Upgrade Notes:

• app_queue.c: Fix error in Queue parameter documentation.

  As part of Asterisk 21, macros were removed from Asterisk.
  This resulted in argument order changing for the Queue dialplan
  application since the macro argument was removed. Upgrade notice was
  missed when this was done, so this upgrade note has been added to
  provide a record of such and a notice to users who may have not upgraded
  yet.

• res_audiosocket: add message types for all slin sample rates

  New audiosocket message types 0x11 - 0x18 has been added
  for slin12, slin16, slin24, slin32, slin44, slin48, slin96, and
  slin192 audio. External applications using audiosocket may need to be
  updated to support these message types if the audiosocket channel is
  created with one of these audio formats.

• taskpool: Add taskpool API, switch Stasis to using it.

  The threadpool_* options in stasis.conf have now been deprecated
  though they continue to be read and used. They have been replaced with taskpool
  options that give greater control over the underlying taskpool used for stasis.

Developer Notes:

• chan_pjsip: Add technology-specific off-nominal hangup cause to events.

  A "tech_cause" parameter has been added to the
  ChannelHangupRequest and ChannelDestroyed ARI event messages and a "TechCause"
  parameter has been added to the HangupRequest, SoftHangupRequest and Hangup
  AMI event messages. For chan_pjsip, these will be set to the last SIP
  response status code for off-nominally terminated calls. The parameter is
  suppressed for nominal termination.

• ARI: The bridges play and record APIs now handle sample rates > 8K correctly.

  The ARI /bridges/play and /bridges/record REST APIs have new
  parameters that allow the caller to specify the format to be used on the
  "Announcer" and "Recorder" channels respecitvely.

• taskpool: Add taskpool API, switch Stasis to using it.

  The taskpool API has been added for common usage of a
  pool of taskprocessors. It is suggested to use this API instead of the
  threadpool+taskprocessor approach.

Commit Authors:

• Allan Nathanson: (1)
• Anthony Minessale: (1)
• Bastian Triller: (1)
• Ben Ford: (2)
• Christoph Moench-Tegeder: (1)
• George Joseph: (9)
• Igor Goncharovsky: (1)
• Joshua C. Colp: (6)
• Max Grobecker: (1)
• Nathan Monfils: (1)
• Naveen Albert: (18)
• Roman Pertsev: (1)
• Sean Bright: (3)
• Sven Kube: (3)
• Tinet-mucw: (1)
• gauravs456: (1)
• phoneben: (2)

The Asterisk Development Team would like to announce
the release of asterisk-20.17.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.17.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.17.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.17.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 50
• Commit Authors: 16
• Issues Resolved: 34
• Security Advisories Resolved: 0

User Notes:

• res_stir_shaken: Add STIR_SHAKEN_ATTESTATION dialplan function.

  The STIR_SHAKEN_ATTESTATION dialplan function has been added
  which will allow suppressing attestation on a call-by-call basis
  regardless of the profile attached to the outgoing endpoint.

• func_channel: Allow R/W of ADSI CPE capability setting.

  CHANNEL(adsicpe) can now be read or written to change
  the channels' ADSI CPE capability setting.

• func_hangupcause.c: Add access to Reason headers via HANGUPCAUSE()

  Added a new option to HANGUPCAUSE to access additional
  information about hangup reason. Reason headers from pjsip
  could be read using 'tech_extended' cause type.

• func_math: Add DIGIT_SUM function.

  The DIGIT_SUM function can be used to return the digit sum of
  a number.

• app_sf: Add post-digit timer option to ReceiveSF.

  The 't' option for ReceiveSF now allows for a timer since
  the last digit received, in addition to the number-wide timeout.

• app_dial: Allow fractional seconds for dial timeouts.

  The answer and progress dial timeouts now have millisecond
  precision, instead of having to be whole numbers.

• chan_dahdi: Add DAHDI_CHANNEL function.

  The DAHDI_CHANNEL function allows for getting/setting
  certain properties about DAHDI channels from the dialplan.

Upgrade Notes:

• res_audiosocket: add message types for all slin sample rates

  New audiosocket message types 0x11 - 0x18 has been added
  for slin12, slin16, slin24, slin32, slin44, slin48, slin96, and
  slin192 audio. External applications using audiosocket may need to be
  updated to support these message types if the audiosocket channel is
  created with one of these audio formats.

• taskpool: Add taskpool API, switch Stasis to using it.

  The threadpool_* options in stasis.conf have now been deprecated
  though they continue to be read and used. They have been replaced with taskpool
  options that give greater control over the underlying taskpool used for stasis.

Developer Notes:

• chan_pjsip: Add technology-specific off-nominal hangup cause to events.

  A "tech_cause" parameter has been added to the
  ChannelHangupRequest and ChannelDestroyed ARI event messages and a "TechCause"
  parameter has been added to the HangupRequest, SoftHangupRequest and Hangup
  AMI event messages. For chan_pjsip, these will be set to the last SIP
  response status code for off-nominally terminated calls. The parameter is
  suppressed for nominal termination.

• ARI: The bridges play and record APIs now handle sample rates > 8K correctly.

  The ARI /bridges/play and /bridges/record REST APIs have new
  parameters that allow the caller to specify the format to be used on the
  "Announcer" and "Recorder" channels respecitvely.

• taskpool: Add taskpool API, switch Stasis to using it.

  The taskpool API has been added for common usage of a
  pool of taskprocessors. It is suggested to use this API instead of the
  threadpool+taskprocessor approach.

Commit Authors:

• Anthony Minessale: (1)
• Bastian Triller: (1)
• Ben Ford: (1)
• Christoph Moench-Tegeder: (1)
• George Joseph: (9)
• Igor Goncharovsky: (1)
• Joshua C. Colp: (6)
• Max Grobecker: (1)
• Nathan Monfils: (1)
• Naveen Albert: (17)
• Roman Pertsev: (1)
• Sean Bright: (3)
• Sven Kube: (3)
• Tinet-mucw: (1)
• gauravs456: (1)
• phoneben: (2)

The Asterisk Development Team would like to announce
the release of asterisk-23.0.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.0.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.0.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.0.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 45
• Commit Authors: 14
• Issues Resolved: 36
• Security Advisories Resolved: 1
  • GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash

User Notes:

• app_queue.c: Add new global 'log_unpause_on_reason_change'

  Add new global option 'log_unpause_on_reason_change' that
  is default disabled. When enabled cause addition of UNPAUSE event on
  every re-PAUSE with reason changed.

• pbx_builtins: Allow custom tone for WaitExten.

  The tone used while waiting for digits in WaitExten
  can now be overridden by specifying an argument for the 'd'
  option.

• res_tonedetect: Add option for TONE_DETECT detection to auto stop.

  The 'e' option for TONE_DETECT now allows detection to
  be disabled automatically once the desired number of matches have
  been fulfilled, which can help prevent race conditions in the
  dialplan, since TONE_DETECT does not need to be disabled after
  a hit.

• sorcery: Prevent duplicate objects and ensure missing objects are created on u..

  Users relying on Sorcery multiple writable backends configurations
  (e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
  in sorcery.conf to ensure missing objects are recreated after temporary backend
  failures. Default behavior remains unchanged unless explicitly enabled.

• chan_websocket: Allow additional URI parameters to be added to the outgoing URI.

  A new WebSocket channel driver option v has been added to the
  Dial application that allows you to specify additional URI parameters on
  outgoing connections. Run core show application Dial from the Asterisk CLI
  to see how to use it.

• app_chanspy: Add option to not automatically answer channel.

  ChanSpy and ExtenSpy can now be configured to not
  automatically answer the channel by using the 'N' option.

Upgrade Notes:

• config.c Make ast_variable_update update last match.

  Config variables, when set/updated, such as via AMI,
  will now have the corresponding setting updated, even if their
  sections inherit from template sections.

• config.c: Make ast_variable_retrieve return last match.

  Config variables retrieved explicitly by name now return
  the most recently overriding value as opposed to the base value (e.g.
  from a template). This is equivalent to retrieving a config setting
  using the -1 index to the AST_CONFIG function. The major implication of
  this is that modules processing configs by explicitly retrieving variables
  by name will now get the effective value of a variable as overridden in
  a config rather than the first-set value (from a template), which is
  consistent with how other modules load config settings.

• users.conf: Remove deprecated users.conf integration.

  users.conf has been removed and all channel drivers must
  be configured using their specific configuration files. The functionality
  previously in users.conf for res_phoneprov is now in phoneprov_users.conf.

• res_agi: Remove deprecated DeadAGI application.

  The DeadAGI application, which was
  deprecated in Asterisk 15, has now been removed.
  The same functionality is available in the AGI app.

• res_musiconhold: Remove options that were deprecated in Asterisk 14.

  The deprecated random and application=r options have
  been removed; use sort=random instead.

• app_voicemail: Remove deprecated options.

  The deprecated maxmessage and minmessage options
  have been removed; use maxsecs and minsecs instead.
  The deprecated 'cz' language has also been removed; use 'cs' instead.

• app_queue: Remove redundant/deprecated function.

  The deprecated QUEUE_MEMBER_COUNT function
  has been removed; use QUEUE_MEMBER(,logged) instead.

• cli.c: Remove deprecated and redundant CLI command.

  The deprecated "no debug channel" command has
  now been removed; use "core set debug channel" instead.

• logger.c: Remove deprecated/redundant configuration option.

  The deprecated rotatetimestamp option has been removed.
  Use rotatestrategy instead.

• func_dialplan: Remove deprecated/redundant function.

  The deprecated VALID_EXTEN function has been removed.
  Use DIALPLAN_EXISTS instead.

Developer Notes:

• ARI: Add command to indicate progress to a channel

  A new ARI endpoint is available at /channels/{channelId}/progress to indicate progress to a channel.

Commit Authors:

• Alexei Gradinari: (1)
• Alexey Khabulyak: (1)
• Allan Nathanson: (1)
• Artem Umerov: (1)
• Ben Ford: (2)
• George Joseph: (7)
• Igor Goncharovsky: (2)
• Joe Garlick: (1)
• Jose Lopes: (1)
• Mike Bradeen: (1)
• Naveen Albert: (23)
• Sean Bright: (2)
• Stuart Henderson: (1)
• Sven Kube: (1)

The Asterisk Development Team would like to announce
the release of asterisk-22.6.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.6.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.6.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.6.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 54
• Commit Authors: 22
• Issues Resolved: 40
• Security Advisories Resolved: 0

User Notes:

• app_queue.c: Add new global 'log_unpause_on_reason_change'

  Add new global option 'log_unpause_on_reason_change' that
  is default disabled. When enabled cause addition of UNPAUSE event on
  every re-PAUSE with reason changed.

• pbx_builtins: Allow custom tone for WaitExten.

  The tone used while waiting for digits in WaitExten
  can now be overridden by specifying an argument for the 'd'
  option.

• res_tonedetect: Add option for TONE_DETECT detection to auto stop.

  The 'e' option for TONE_DETECT now allows detection to
  be disabled automatically once the desired number of matches have
  been fulfilled, which can help prevent race conditions in the
  dialplan, since TONE_DETECT does not need to be disabled after
  a hit.

• sorcery: Prevent duplicate objects and ensure missing objects are created on u..

  Users relying on Sorcery multiple writable backends configurations
  (e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
  in sorcery.conf to ensure missing objects are recreated after temporary backend
  failures. Default behavior remains unchanged unless explicitly enabled.

• chan_websocket: Allow additional URI parameters to be added to the outgoing URI.

  A new WebSocket channel driver option v has been added to the
  Dial application that allows you to specify additional URI parameters on
  outgoing connections. Run core show application Dial from the Asterisk CLI
  to see how to use it.

• app_chanspy: Add option to not automatically answer channel.

  ChanSpy and ExtenSpy can now be configured to not
  automatically answer the channel by using the 'N' option.

• cel: Add STREAM_BEGIN, STREAM_END and DTMF event types.

  Enabling the tracking of the
  STREAM_BEGIN and the STREAM_END event
  types in cel.conf will log media files and
  music on hold played to each channel.
  The STREAM_BEGIN event's extra field will
  contain a JSON with the file details (path,
  format and language), or the class name, in
  case of music on hold is played. The DTMF
  event's extra field will contain a JSON with
  the digit and the duration in milliseconds.

• res_srtp: Add menuselect options to enable AES_192, AES_256 and AES_GCM

  Options are now available in the menuselect "Resource Modules"
  category that allow you to enable the AES_192, AES_256 and AES_GCM
  cipher suites in res_srtp. Of course, libsrtp and OpenSSL must support
  them but modern versions do. Previously, the only way to enable them was
  to set the CFLAGS environment variable when running ./configure.
  The default setting is to disable them preserving existing behavior.

• cdr: add CANCEL dispostion in CDR

  A new CDR option "canceldispositionenabled" has been added
  that when set to true, the NO ANSWER disposition will be split into
  two dispositions: CANCEL and NO ANSWER. The default value is 'no'

• func_curl: Allow auth methods to be set.

  The httpauth field in CURLOPT now allows the authentication
  methods to be set.

• Media over Websocket Channel Driver

  A new channel driver "chan_websocket" is now available. It can
  exchange media over both inbound and outbound websockets and will both frame
  and re-time the media it receives.
  See http://s.asterisk.net/mow for more information.
  The ARI channels/externalMedia API now includes support for the

Upgrade Notes:

Developer Notes:

• ARI: Add command to indicate progress to a channel

  A new ARI endpoint is available at /channels/{channelId}/progress to indicate progress to a channel.

• options: Change ast_options from ast_flags to ast_flags64.

  The 32-bit ast_options has no room left to accomodate new
  options and so has been converted to an ast_flags64 structure. All internal
  references to ast_options have been updated to use the 64-bit flag
  manipulation macros. External module references to the 32-bit ast_options
  should continue to work on little-endian systems because the
  least-significant bytes of a 64 bit integer will be in the same location as a
  32-bit integer. Because that's not the case on big-endian systems, we've
  swapped the bytes in the flags manupulation macros on big-endian systems
  so external modules should still work however you are encouraged to test.

Commit Authors:

• Alexei Gradinari: (2)
• Alexey Khabulyak: (2)
• Allan Nathanson: (1)
• Artem Umerov: (1)
• Ben Ford: (1)
• George Joseph: (12)
• Igor Goncharovsky: (2)
• Jaco Kroon: (1)
• Joe Garlick: (1)
• Jose Lopes: (1)
• Kodokaii: (1)
• Martin Tomec: (1)
• Mike Bradeen: (1)
• Mkmer: (1)
• Naveen Albert: (15)
• Sean Bright: (2)
• Sperl Viktor: (2)
• Stanislav Abramenkov: (1)
• Stuart Henderson: (1)
• Sven Kube: (2)
• Tinet-Mucw: (2)
• Zhou_jiajian: (1)

The Asterisk Development Team would like to announce
the release of asterisk-21.11.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.11.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.11.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-21.11.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 54
• Commit Authors: 22
• Issues Resolved: 40
• Security Advisories Resolved: 0

User Notes:

• app_queue.c: Add new global 'log_unpause_on_reason_change'

  Add new global option 'log_unpause_on_reason_change' that
  is default disabled. When enabled cause addition of UNPAUSE event on
  every re-PAUSE with reason changed.

• pbx_builtins: Allow custom tone for WaitExten.

  The tone used while waiting for digits in WaitExten
  can now be overridden by specifying an argument for the 'd'
  option.

• res_tonedetect: Add option for TONE_DETECT detection to auto stop.

  The 'e' option for TONE_DETECT now allows detection to
  be disabled automatically once the desired number of matches have
  been fulfilled, which can help prevent race conditions in the
  dialplan, since TONE_DETECT does not need to be disabled after
  a hit.

• sorcery: Prevent duplicate objects and ensure missing objects are created on u..

  Users relying on Sorcery multiple writable backends configurations
  (e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
  in sorcery.conf to ensure missing objects are recreated after temporary backend
  failures. Default behavior remains unchanged unless explicitly enabled.

• chan_websocket: Allow additional URI parameters to be added to the outgoing URI.

  A new WebSocket channel driver option v has been added to the
  Dial application that allows you to specify additional URI parameters on
  outgoing connections. Run core show application Dial from the Asterisk CLI
  to see how to use it.

• app_chanspy: Add option to not automatically answer channel.

  ChanSpy and ExtenSpy can now be configured to not
  automatically answer the channel by using the 'N' option.

• cel: Add STREAM_BEGIN, STREAM_END and DTMF event types.

  Enabling the tracking of the
  STREAM_BEGIN and the STREAM_END event
  types in cel.conf will log media files and
  music on hold played to each channel.
  The STREAM_BEGIN event's extra field will
  contain a JSON with the file details (path,
  format and language), or the class name, in
  case of music on hold is played. The DTMF
  event's extra field will contain a JSON with
  the digit and the duration in milliseconds.

• res_srtp: Add menuselect options to enable AES_192, AES_256 and AES_GCM

  Options are now available in the menuselect "Resource Modules"
  category that allow you to enable the AES_192, AES_256 and AES_GCM
  cipher suites in res_srtp. Of course, libsrtp and OpenSSL must support
  them but modern versions do. Previously, the only way to enable them was
  to set the CFLAGS environment variable when running ./configure.
  The default setting is to disable them preserving existing behavior.

• cdr: add CANCEL dispostion in CDR

  A new CDR option "canceldispositionenabled" has been added
  that when set to true, the NO ANSWER disposition will be split into
  two dispositions: CANCEL and NO ANSWER. The default value is 'no'

• func_curl: Allow auth methods to be set.

  The httpauth field in CURLOPT now allows the authentication
  methods to be set.

• Media over Websocket Channel Driver

  A new channel driver "chan_websocket" is now available. It can
  exchange media over both inbound and outbound websockets and will both frame
  and re-time the media it receives.
  See http://s.asterisk.net/mow for more information.
  The ARI channels/externalMedia API now includes support for the

Upgrade Notes:

Developer Notes:

• ARI: Add command to indicate progress to a channel

  A new ARI endpoint is available at /channels/{channelId}/progress to indicate progress to a channel.

• options: Change ast_options from ast_flags to ast_flags64.

  The 32-bit ast_options has no room left to accomodate new
  options and so has been converted to an ast_flags64 structure. All internal
  references to ast_options have been updated to use the 64-bit flag
  manipulation macros. External module references to the 32-bit ast_options
  should continue to work on little-endian systems because the
  least-significant bytes of a 64 bit integer will be in the same location as a
  32-bit integer. Because that's not the case on big-endian systems, we've
  swapped the bytes in the flags manupulation macros on big-endian systems
  so external modules should still work however you are encouraged to test.

Commit Authors:

• Alexei Gradinari: (2)
• Alexey Khabulyak: (2)
• Allan Nathanson: (1)
• Artem Umerov: (1)
• Ben Ford: (1)
• George Joseph: (12)
• Igor Goncharovsky: (2)
• Jaco Kroon: (1)
• Joe Garlick: (1)
• Jose Lopes: (1)
• Kodokaii: (1)
• Martin Tomec: (1)
• Mike Bradeen: (1)
• Mkmer: (1)
• Naveen Albert: (15)
• Sean Bright: (2)
• Sperl Viktor: (2)
• Stanislav Abramenkov: (1)
• Stuart Henderson: (1)
• Sven Kube: (2)
• Tinet-Mucw: (2)
• Zhou_jiajian: (1)

The Asterisk Development Team would like to announce
the release of asterisk-20.16.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.16.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.16.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.16.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 54
• Commit Authors: 22
• Issues Resolved: 40
• Security Advisories Resolved: 0

User Notes:

• app_queue.c: Add new global 'log_unpause_on_reason_change'

  Add new global option 'log_unpause_on_reason_change' that
  is default disabled. When enabled cause addition of UNPAUSE event on
  every re-PAUSE with reason changed.

• pbx_builtins: Allow custom tone for WaitExten.

  The tone used while waiting for digits in WaitExten
  can now be overridden by specifying an argument for the 'd'
  option.

• res_tonedetect: Add option for TONE_DETECT detection to auto stop.

  The 'e' option for TONE_DETECT now allows detection to
  be disabled automatically once the desired number of matches have
  been fulfilled, which can help prevent race conditions in the
  dialplan, since TONE_DETECT does not need to be disabled after
  a hit.

• sorcery: Prevent duplicate objects and ensure missing objects are created on u..

  Users relying on Sorcery multiple writable backends configurations
  (e.g., astdb + realtime) may now enable update_or_create_on_update_miss = yes
  in sorcery.conf to ensure missing objects are recreated after temporary backend
  failures. Default behavior remains unchanged unless explicitly enabled.

• chan_websocket: Allow additional URI parameters to be added to the outgoing URI.

  A new WebSocket channel driver option v has been added to the
  Dial application that allows you to specify additional URI parameters on
  outgoing connections. Run core show application Dial from the Asterisk CLI
  to see how to use it.

• app_chanspy: Add option to not automatically answer channel.

  ChanSpy and ExtenSpy can now be configured to not
  automatically answer the channel by using the 'N' option.

• cel: Add STREAM_BEGIN, STREAM_END and DTMF event types.

  Enabling the tracking of the
  STREAM_BEGIN and the STREAM_END event
  types in cel.conf will log media files and
  music on hold played to each channel.
  The STREAM_BEGIN event's extra field will
  contain a JSON with the file details (path,
  format and language), or the class name, in
  case of music on hold is played. The DTMF
  event's extra field will contain a JSON with
  the digit and the duration in milliseconds.

• res_srtp: Add menuselect options to enable AES_192, AES_256 and AES_GCM

  Options are now available in the menuselect "Resource Modules"
  category that allow you to enable the AES_192, AES_256 and AES_GCM
  cipher suites in res_srtp. Of course, libsrtp and OpenSSL must support
  them but modern versions do. Previously, the only way to enable them was
  to set the CFLAGS environment variable when running ./configure.
  The default setting is to disable them preserving existing behavior.

• cdr: add CANCEL dispostion in CDR

  A new CDR option "canceldispositionenabled" has been added
  that when set to true, the NO ANSWER disposition will be split into
  two dispositions: CANCEL and NO ANSWER. The default value is 'no'

• func_curl: Allow auth methods to be set.

  The httpauth field in CURLOPT now allows the authentication
  methods to be set.

• Media over Websocket Channel Driver

  A new channel driver "chan_websocket" is now available. It can
  exchange media over both inbound and outbound websockets and will both frame
  and re-time the media it receives.
  See http://s.asterisk.net/mow for more information.
  The ARI channels/externalMedia API now includes support for the

Upgrade Notes:

Developer Notes:

• ARI: Add command to indicate progress to a channel

  A new ARI endpoint is available at /channels/{channelId}/progress to indicate progress to a channel.

• options: Change ast_options from ast_flags to ast_flags64.

  The 32-bit ast_options has no room left to accomodate new
  options and so has been converted to an ast_flags64 structure. All internal
  references to ast_options have been updated to use the 64-bit flag
  manipulation macros. External module references to the 32-bit ast_options
  should continue to work on little-endian systems because the
  least-significant bytes of a 64 bit integer will be in the same location as a
  32-bit integer. Because that's not the case on big-endian systems, we've
  swapped the bytes in the flags manupulation macros on big-endian systems
  so external modules should still work however you are encouraged to test.

Commit Authors:

• Alexei Gradinari: (2)
• Alexey Khabulyak: (2)
• Allan Nathanson: (1)
• Artem Umerov: (1)
• Ben Ford: (1)
• George Joseph: (12)
• Igor Goncharovsky: (2)
• Jaco Kroon: (1)
• Joe Garlick: (1)
• Jose Lopes: (1)
• Kodokaii: (1)
• Martin Tomec: (1)
• Mike Bradeen: (1)
• Mkmer: (1)
• Naveen Albert: (15)
• Sean Bright: (2)
• Sperl Viktor: (2)
• Stanislav Abramenkov: (1)
• Stuart Henderson: (1)
• Sven Kube: (2)
• Tinet-Mucw: (2)
• Zhou_jiajian: (1)

The Asterisk Development Team would like to announce security release
Asterisk 22.5.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.5.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.5.2

Change Log for Release asterisk-22.5.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 0
• Security Advisories Resolved: 1
  • GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• George Joseph: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash

Commits By Author:

• George Joseph (1):

  • res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Commit List:

• res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Commit Details:

res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Author: George Joseph
Date: 2025-08-28

In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV. We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.

Resolves: #GHSA-64qc-9x89-rx5j

The Asterisk Development Team would like to announce security release
Asterisk 20.15.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.15.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.15.2

Change Log for Release asterisk-20.15.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 0
• Security Advisories Resolved: 1
  • GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• George Joseph: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash

Commits By Author:

• George Joseph (1):

  • res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Commit List:

• res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Commit Details:

res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Author: George Joseph
Date: 2025-08-28

In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV. We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.

Resolves: #GHSA-64qc-9x89-rx5j

The Asterisk Development Team would like to announce security release
Asterisk 21.10.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.10.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.10.2

Change Log for Release asterisk-21.10.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 0
• Security Advisories Resolved: 1
  • GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• George Joseph: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash

Commits By Author:

• George Joseph (1):

  • res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Commit List:

• res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Commit Details:

res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Author: George Joseph
Date: 2025-08-28

In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV. We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.

Resolves: #GHSA-64qc-9x89-rx5j

The Asterisk Development Team would like to announce security release
Asterisk 18.26.4.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.26.4
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 18.26.4

Change Log for Release asterisk-18.26.4

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 0
• Security Advisories Resolved: 1
  • GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• George Joseph: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources

Commits By Author:

• George Joseph (1):

  • pjproject: Update bundled to 2.15.1.

Commit List:

• pjproject: Update bundled to 2.15.1.

Commit Details:

pjproject: Update bundled to 2.15.1.

Author: George Joseph
Date: 2025-08-25

This resolves a security issue where RTP ports weren't being released
causing possible resource exhaustion issues.

Resolves: #GHSA-557q-795j-wfx2

The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert17.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert17
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-18.9-cert17

Change Log for Release asterisk-certified-18.9-cert17

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 0
• Security Advisories Resolved: 1
  • GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• George Joseph: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-557q-795j-wfx2: Resource exhaustion (DoS) vulnerability: remotely exploitable leak of RTP UDP ports and internal resources

Commits By Author:

• George Joseph (1):

  • pjproject: Update bundled to 2.15.1.

Commit List:

• pjproject: Update bundled to 2.15.1.

Commit Details:

pjproject: Update bundled to 2.15.1.

Author: George Joseph
Date: 2025-08-25

This resolves a security issue where RTP ports weren't being released
causing possible resource exhaustion issues.

Resolves: #GHSA-557q-795j-wfx2

The Asterisk Development Team would like to announce security release
Asterisk 22.5.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.5.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.5.1

Change Log for Release asterisk-22.5.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 2
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 2
  • GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

User Notes:

Upgrade Notes:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

Developer Notes:

Commit Authors:

• George Joseph: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
• !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

Commits By Author:

• George Joseph (1):

  • res_stir_shaken: Test for missing semicolon in Identity header.

• ThatTotallyRealMyth (1):

  • safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit List:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
• res_stir_shaken: Test for missing semicolon in Identity header.

Commit Details:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Author: ThatTotallyRealMyth
Date: 2025-06-10

UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

res_stir_shaken: Test for missing semicolon in Identity header.

Author: George Joseph
Date: 2025-07-31

ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
the Identity header to prevent a possible segfault.

Resolves: #GHSA-mrq5-74j5-f5cr

The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert7.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert7
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert7

Change Log for Release asterisk-certified-20.7-cert7

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 2
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 2
  • GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

User Notes:

Upgrade Notes:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

Developer Notes:

Commit Authors:

• George Joseph: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
• !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

Commits By Author:

• George Joseph (1):

  • res_stir_shaken: Test for missing semicolon in Identity header.

• ThatTotallyRealMyth (1):

  • safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit List:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
• res_stir_shaken: Test for missing semicolon in Identity header.

Commit Details:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Author: ThatTotallyRealMyth
Date: 2025-06-10

UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

res_stir_shaken: Test for missing semicolon in Identity header.

Author: George Joseph
Date: 2025-07-31

ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
the Identity header to prevent a possible segfault.

Resolves: #GHSA-mrq5-74j5-f5cr

The Asterisk Development Team would like to announce security release
Asterisk 21.10.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.10.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.10.1

Change Log for Release asterisk-21.10.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 2
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 2
  • GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

User Notes:

Upgrade Notes:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

Developer Notes:

Commit Authors:

• George Joseph: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
• !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

Commits By Author:

• George Joseph (1):

  • res_stir_shaken: Test for missing semicolon in Identity header.

• ThatTotallyRealMyth (1):

  • safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit List:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
• res_stir_shaken: Test for missing semicolon in Identity header.

Commit Details:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Author: ThatTotallyRealMyth
Date: 2025-06-10

UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

res_stir_shaken: Test for missing semicolon in Identity header.

Author: George Joseph
Date: 2025-07-31

ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
the Identity header to prevent a possible segfault.

Resolves: #GHSA-mrq5-74j5-f5cr

The Asterisk Development Team would like to announce security release
Asterisk 20.15.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.15.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.15.1

Change Log for Release asterisk-20.15.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 2
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 2
  • GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

User Notes:

Upgrade Notes:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

Developer Notes:

Commit Authors:

• George Joseph: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
• !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

Commits By Author:

• George Joseph (1):

  • res_stir_shaken: Test for missing semicolon in Identity header.

• ThatTotallyRealMyth (1):

  • safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit List:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
• res_stir_shaken: Test for missing semicolon in Identity header.

Commit Details:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Author: ThatTotallyRealMyth
Date: 2025-06-10

UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

res_stir_shaken: Test for missing semicolon in Identity header.

Author: George Joseph
Date: 2025-07-31

ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
the Identity header to prevent a possible segfault.

Resolves: #GHSA-mrq5-74j5-f5cr

The Asterisk Development Team would like to announce security release
Certified Asterisk 18.9-cert16.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert16
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-18.9-cert16

Change Log for Release asterisk-certified-18.9-cert16

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 0
• Security Advisories Resolved: 1
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

User Notes:

Upgrade Notes:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

Developer Notes:

Commit Authors:

• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

Commits By Author:

• ThatTotallyRealMyth (1):

  • safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit List:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit Details:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Author: ThatTotallyRealMyth
Date: 2025-06-10

UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

The Asterisk Development Team would like to announce security release
Asterisk 18.26.3.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.26.3
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 18.26.3

Change Log for Release asterisk-18.26.3

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 2
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 2
  • GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
  • GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

User Notes:

Upgrade Notes:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

  The safe_asterisk script now checks that, if it was run by the
  root user, the /etc/asterisk/startup.d directory and all the files it contains
  are owned by root. If the checks fail, safe_asterisk will exit with an error
  and Asterisk will not be started. Additionally, the default logging
  destination is now stderr instead of tty "9" which probably won't exist
  in modern systems.

Developer Notes:

Commit Authors:

• George Joseph: (1)
• ThatTotallyRealMyth: (1)

Issue and Commit Detail:

Closed Issues:

• !GHSA-mrq5-74j5-f5cr: Remote DoS and possible RCE in asterisk/res/res_stir_shaken/verification.c
• !GHSA-v9q8-9j8m-5xwp: Uncontrolled Search-Path Element in safe_asterisk script may allow local privilege escalation.

Commits By Author:

• George Joseph (1):

  • res_stir_shaken: Test for missing semicolon in Identity header.

• ThatTotallyRealMyth (1):

  • safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Commit List:

• safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.
• res_stir_shaken: Test for missing semicolon in Identity header.

Commit Details:

safe_asterisk: Add ownership checks for /etc/asterisk/startup.d and its files.

Author: ThatTotallyRealMyth
Date: 2025-06-10

UpgradeNote: The safe_asterisk script now checks that, if it was run by the
root user, the /etc/asterisk/startup.d directory and all the files it contains
are owned by root. If the checks fail, safe_asterisk will exit with an error
and Asterisk will not be started. Additionally, the default logging
destination is now stderr instead of tty "9" which probably won't exist
in modern systems.

Resolves: #GHSA-v9q8-9j8m-5xwp

res_stir_shaken: Test for missing semicolon in Identity header.

Author: George Joseph
Date: 2025-07-31

ast_stir_shaken_vs_verify() now makes sure there's a semicolon in
the Identity header to prevent a possible segfault.

Resolves: #GHSA-mrq5-74j5-f5cr

The Asterisk Development Team would like to announce
the release of asterisk-22.5.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.5.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.5.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.5.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 29
• Commit Authors: 14
• Issues Resolved: 19
• Security Advisories Resolved: 1
  • GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands

User Notes:

• res_stir_shaken.so: Handle X5U certificate chains.

  The STIR/SHAKEN verification process will now load a full
  certificate chain retrieved via the X5U URL instead of loading only
  the end user cert.

• res_stir_shaken: Add "ignore_sip_date_header" config option.

  A new STIR/SHAKEN verification option "ignore_sip_date_header" has
  been added that when set to true, will cause the verification process to
  not consider a missing or invalid SIP "Date" header to be a failure. This
  will make the IAT the sole "truth" for Date in the verification process.
  The option can be set in the "verification" and "profile" sections of
  stir_shaken.conf.
  Also fixed a bug in the port match logic.
  Resolves: #1251
  Resolves: #1271

• app_record: Add RECORDING_INFO function.

  The RECORDING_INFO function can now be used
  to retrieve the duration of a recording.

• app_queue: queue rules – Add support for QUEUE_RAISE_PENALTY=rN to raise penal..

  This change introduces QUEUE_RAISE_PENALTY=rN, allowing selective penalty raises
  only for members whose current penalty is within the [min_penalty, max_penalty] range.
  Members with lower or higher penalties are unaffected.
  This behavior is backward-compatible with existing queue rule configurations.

• res_odbc: cache_size option to limit the cached connections.

  New cache_size option for res_odbc to on a per class basis limit the
  number of cached connections. Please reference the sample configuration
  for details.

• res_odbc: cache_type option for res_odbc.

  When using res_odbc it should be noted that back-end
  connections to the underlying database can now be configured to re-use
  the cached connections in a round-robin manner rather than repeatedly
  re-using the same connection. This helps to keep connections alive, and
  to purge dead connections from the system, thus more dynamically
  adjusting to actual load. The downside is that one could keep too many
  connections active for a longer time resulting in resource also begin
  consumed on the database side.

• ARI Outbound Websockets

  Asterisk can now establish websocket sessions to your ARI applications
  as well as accepting websocket sessions from them.
  Full details: http://s.asterisk.net/ari-outbound-ws

• res_websocket_client: Create common utilities for websocket clients.

  A new module "res_websocket_client" and config file
  "websocket_client.conf" have been added to support several upcoming new
  capabilities that need common websocket client configuration.

• asterisk.c: Add option to restrict shell access from remote consoles.

  A new asterisk.conf option 'disable_remote_console_shell' has
  been added that, when set, will prevent remote consoles from executing
  shell commands using the '!' prefix.
  Resolves: #GHSA-c7p6-7mvq-8jq2

• sig_analog: Add Call Waiting Deluxe support.

  Call Waiting Deluxe can now be enabled for FXS channels
  by enabling its corresponding option.

Upgrade Notes:

• jansson: Upgrade version to jansson 2.14.1

  jansson has been upgraded to 2.14.1. For more
  information visit jansson Github page: https://github.com/akheron/jansson/releases/tag/v2.14.1
  Resolves: #1178

• Alternate Channel Storage Backends

  With this release, you can now select an alternate channel
  storage backend based on C++ Maps. Using the new backend may increase
  performance and reduce the chances of deadlocks on heavily loaded systems.
  For more information, see http://s.asterisk.net/dc679ec3

Commit Authors:

• George Joseph: (10)
• Itzanh: (1)
• Jaco Kroon: (2)
• Joe Searle: (1)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Mkmer: (1)
• Nathan Monfils: (1)
• Naveen Albert: (3)
• Phoneben: (1)
• Sean Bright: (2)
• Stanislav Abramenkov: (1)
• Sven Kube: (2)
• Thomas B. Clark: (1)

The Asterisk Development Team would like to announce
the release of asterisk-21.10.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.10.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.10.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-21.10.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 29
• Commit Authors: 14
• Issues Resolved: 19
• Security Advisories Resolved: 1
  • GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands

User Notes:

• res_stir_shaken.so: Handle X5U certificate chains.

  The STIR/SHAKEN verification process will now load a full
  certificate chain retrieved via the X5U URL instead of loading only
  the end user cert.

• res_stir_shaken: Add "ignore_sip_date_header" config option.

  A new STIR/SHAKEN verification option "ignore_sip_date_header" has
  been added that when set to true, will cause the verification process to
  not consider a missing or invalid SIP "Date" header to be a failure. This
  will make the IAT the sole "truth" for Date in the verification process.
  The option can be set in the "verification" and "profile" sections of
  stir_shaken.conf.
  Also fixed a bug in the port match logic.
  Resolves: #1251
  Resolves: #1271

• app_record: Add RECORDING_INFO function.

  The RECORDING_INFO function can now be used
  to retrieve the duration of a recording.

• app_queue: queue rules – Add support for QUEUE_RAISE_PENALTY=rN to raise penal..

  This change introduces QUEUE_RAISE_PENALTY=rN, allowing selective penalty raises
  only for members whose current penalty is within the [min_penalty, max_penalty] range.
  Members with lower or higher penalties are unaffected.
  This behavior is backward-compatible with existing queue rule configurations.

• res_odbc: cache_size option to limit the cached connections.

  New cache_size option for res_odbc to on a per class basis limit the
  number of cached connections. Please reference the sample configuration
  for details.

• res_odbc: cache_type option for res_odbc.

  When using res_odbc it should be noted that back-end
  connections to the underlying database can now be configured to re-use
  the cached connections in a round-robin manner rather than repeatedly
  re-using the same connection. This helps to keep connections alive, and
  to purge dead connections from the system, thus more dynamically
  adjusting to actual load. The downside is that one could keep too many
  connections active for a longer time resulting in resource also begin
  consumed on the database side.

• ARI Outbound Websockets

  Asterisk can now establish websocket sessions to your ARI applications
  as well as accepting websocket sessions from them.
  Full details: http://s.asterisk.net/ari-outbound-ws

• res_websocket_client: Create common utilities for websocket clients.

  A new module "res_websocket_client" and config file
  "websocket_client.conf" have been added to support several upcoming new
  capabilities that need common websocket client configuration.

• asterisk.c: Add option to restrict shell access from remote consoles.

  A new asterisk.conf option 'disable_remote_console_shell' has
  been added that, when set, will prevent remote consoles from executing
  shell commands using the '!' prefix.
  Resolves: #GHSA-c7p6-7mvq-8jq2

• sig_analog: Add Call Waiting Deluxe support.

  Call Waiting Deluxe can now be enabled for FXS channels
  by enabling its corresponding option.

Upgrade Notes:

• jansson: Upgrade version to jansson 2.14.1

  jansson has been upgraded to 2.14.1. For more
  information visit jansson Github page: https://github.com/akheron/jansson/releases/tag/v2.14.1
  Resolves: #1178

• Alternate Channel Storage Backends

  With this release, you can now select an alternate channel
  storage backend based on C++ Maps. Using the new backend may increase
  performance and reduce the chances of deadlocks on heavily loaded systems.
  For more information, see http://s.asterisk.net/dc679ec3

Commit Authors:

• George Joseph: (10)
• Itzanh: (1)
• Jaco Kroon: (2)
• Joe Searle: (1)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Mkmer: (1)
• Nathan Monfils: (1)
• Naveen Albert: (3)
• Phoneben: (1)
• Sean Bright: (2)
• Stanislav Abramenkov: (1)
• Sven Kube: (2)
• Thomas B. Clark: (1)

The Asterisk Development Team would like to announce
the release of asterisk-20.15.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.15.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.15.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.15.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 29
• Commit Authors: 14
• Issues Resolved: 19
• Security Advisories Resolved: 1
  • GHSA-c7p6-7mvq-8jq2: cli_permissions.conf: deny option does not work for disallowing shell commands

User Notes:

• res_stir_shaken.so: Handle X5U certificate chains.

  The STIR/SHAKEN verification process will now load a full
  certificate chain retrieved via the X5U URL instead of loading only
  the end user cert.

• res_stir_shaken: Add "ignore_sip_date_header" config option.

  A new STIR/SHAKEN verification option "ignore_sip_date_header" has
  been added that when set to true, will cause the verification process to
  not consider a missing or invalid SIP "Date" header to be a failure. This
  will make the IAT the sole "truth" for Date in the verification process.
  The option can be set in the "verification" and "profile" sections of
  stir_shaken.conf.
  Also fixed a bug in the port match logic.
  Resolves: #1251
  Resolves: #1271

• app_record: Add RECORDING_INFO function.

  The RECORDING_INFO function can now be used
  to retrieve the duration of a recording.

• app_queue: queue rules – Add support for QUEUE_RAISE_PENALTY=rN to raise penal..

  This change introduces QUEUE_RAISE_PENALTY=rN, allowing selective penalty raises
  only for members whose current penalty is within the [min_penalty, max_penalty] range.
  Members with lower or higher penalties are unaffected.
  This behavior is backward-compatible with existing queue rule configurations.

• res_odbc: cache_size option to limit the cached connections.

  New cache_size option for res_odbc to on a per class basis limit the
  number of cached connections. Please reference the sample configuration
  for details.

• res_odbc: cache_type option for res_odbc.

  When using res_odbc it should be noted that back-end
  connections to the underlying database can now be configured to re-use
  the cached connections in a round-robin manner rather than repeatedly
  re-using the same connection. This helps to keep connections alive, and
  to purge dead connections from the system, thus more dynamically
  adjusting to actual load. The downside is that one could keep too many
  connections active for a longer time resulting in resource also begin
  consumed on the database side.

• ARI Outbound Websockets

  Asterisk can now establish websocket sessions to your ARI applications
  as well as accepting websocket sessions from them.
  Full details: http://s.asterisk.net/ari-outbound-ws

• res_websocket_client: Create common utilities for websocket clients.

  A new module "res_websocket_client" and config file
  "websocket_client.conf" have been added to support several upcoming new
  capabilities that need common websocket client configuration.

• asterisk.c: Add option to restrict shell access from remote consoles.

  A new asterisk.conf option 'disable_remote_console_shell' has
  been added that, when set, will prevent remote consoles from executing
  shell commands using the '!' prefix.
  Resolves: #GHSA-c7p6-7mvq-8jq2

• sig_analog: Add Call Waiting Deluxe support.

  Call Waiting Deluxe can now be enabled for FXS channels
  by enabling its corresponding option.

Upgrade Notes:

• jansson: Upgrade version to jansson 2.14.1

  jansson has been upgraded to 2.14.1. For more
  information visit jansson Github page: https://github.com/akheron/jansson/releases/tag/v2.14.1
  Resolves: #1178

• Alternate Channel Storage Backends

  With this release, you can now select an alternate channel
  storage backend based on C++ Maps. Using the new backend may increase
  performance and reduce the chances of deadlocks on heavily loaded systems.
  For more information, see http://s.asterisk.net/dc679ec3

Commit Authors:

• George Joseph: (10)
• Itzanh: (1)
• Jaco Kroon: (2)
• Joe Searle: (1)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Mkmer: (1)
• Nathan Monfils: (1)
• Naveen Albert: (3)
• Phoneben: (1)
• Sean Bright: (2)
• Stanislav Abramenkov: (1)
• Sven Kube: (2)
• Thomas B. Clark: (1)

The Asterisk Development Team would like to announce
the release of Certified asterisk-20.7-cert6.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert6
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert6

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-20.7-cert6

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 31
• Commit Authors: 5
• Issues Resolved: 16
• Security Advisories Resolved: 0

User Notes:

• res_stir_shaken: Allow sending Identity headers for unknown TNs

  You can now set the "unknown_tn_attest_level" option
  in the attestation and/or profile objects in stir_shaken.conf to
  enable sending Identity headers for callerid TNs not explicitly
  configured.

• res_pjsip: Add new endpoint option "suppress_moh_on_sendonly"

  The new "suppress_moh_on_sendonly" endpoint option
  can be used to prevent playing MOH back to a caller if the remote
  end sends "sendonly" or "inactive" (hold) to Asterisk in an SDP.

• app_mixmonitor: Add 'D' option for dual-channel audio.

  The MixMonitor application now has a new 'D' option which
  interleaves the recorded audio in the output frames. This allows for
  stereo recording output with one channel being the transmitted audio and
  the other being the received audio. The 't' and 't' options are
  compatible with this.

• db.c: Remove limit on family/key length

  The ast_db_*() APIs have had the 253 byte limit on
  "/family/key" removed and will now accept families and keys with a
  total length of up to SQLITE_MAX_LENGTH (currently 1e9!). This
  affects the DB* dialplan applications, dialplan functions,
  manager actions and databse CLI commands. Since the
  media_cache also uses the ast_db_*() APIs, you can now store
  resources with URIs longer than 253 bytes.

Upgrade Notes:

Commit Authors:

• Ben Ford: (3)
• Chrsmj: (1)
• George Joseph: (22)
• Joshua C. Colp: (1)
• Sean Bright: (4)

The Asterisk Development Team would like to announce
the release of Certified asterisk-18.9-cert15.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert15
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-18.9-cert15

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-certified-18.9-cert15

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 25
• Commit Authors: 8
• Issues Resolved: 10
• Security Advisories Resolved: 0

User Notes:

• res_pjsip: Add new endpoint option "suppress_moh_on_sendonly"

  The new "suppress_moh_on_sendonly" endpoint option
  can be used to prevent playing MOH back to a caller if the remote
  end sends "sendonly" or "inactive" (hold) to Asterisk in an SDP.

• app_mixmonitor: Add 'D' option for dual-channel audio.

  The MixMonitor application now has a new 'D' option which
  interleaves the recorded audio in the output frames. This allows for
  stereo recording output with one channel being the transmitted audio and
  the other being the received audio. The 't' and 't' options are
  compatible with this.

Upgrade Notes:

Commit Authors:

• Ben Ford: (2)
• George Joseph: (12)
• Joshua C. Colp: (1)
• Marcel Wagner: (1)
• Mike Bradeen: (1)
• Naveen Albert: (1)
• Sean Bright: (6)
• Shyju Kanaprath: (1)