Debian 11: DLA-4206-1 critical: asterisk authentication issue
debian lts
June 2, 2025
Two security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange
Topics Covered
Summary
CVE-2025-47779
SIP requests of the type MESSAGE (RFC 3428) authentication do not get
proper alignment. An authenticated attacker can spoof any user identity to
send spam messages to the user with their authorization token. Abuse of
this security issue allows authenticated attackers to send fake chat
messages that can be spoofed to appear to come from trusted entities.
CVE-2025-47780
Trying to disallow shell commands to be run via the Asterisk CLI by
configuring cli_permissions.conf (e.g. with the config line deny=!*) does
not work which could lead to a security risk.
A new asterisk.conf option 'disable_remote_console_shell' has been added
that, when set, will prevent remote consoles from executing shell commands
using the '!' prefix.
For Debian 11 bullseye, these problems have been fixed in version
1:16.28.0~dfsg-0+deb11u7.
We recommend that you upgrade your asterisk packages.
For the detailed security status of asterisk please refer to
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: asterisk
Version: 1:16.28.0~dfsg-0+deb11u7
CVE ID: CVE-2025-47779 CVE-2025-47780
Debian Bug: 1106528 1106530
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!