ELA-1319-1 asterisk security update

path traversal vulnerability

2025-02-12

Package	asterisk
Version	1:13.14.1~dfsg-2+deb9u11 (stretch), 1:16.28.0~dfsg-0+deb10u6 (buster)
Related CVEs	CVE-2024-53566

A vulnerability was discovered in asterisk, an Open Source Private Branch Exchange.

CVE-2024-53566

It is possible to access files outside the configuration directory via AMI
and path traversal even when live_dangerously is not enabled.

For Debian 10 buster, these problems have been fixed in version 1:16.28.0~dfsg-0+deb10u6.

For Debian 9 stretch, these problems have been fixed in version 1:13.14.1~dfsg-2+deb9u11.

We recommend that you upgrade your asterisk packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.