The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert4.
The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert4
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk
Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert4
Change Log for Release asterisk-certified-20.7-cert4
Links:
Summary:
- Commits: 1
- Commit Authors: 1
- Issues Resolved: 0
- Security Advisories Resolved: 1
- GHSA-33x6-fj46-6rfh: Path traversal via AMI ListCategories allows access to outside files
User Notes:
-
manager.c: Restrict ListCategories to the configuration directory.
The ListCategories AMI action now restricts files to the
configured configuration directory.
Upgrade Notes:
Commit Authors:
- Ben Ford: (1)
Issue and Commit Detail:
Closed Issues:
- !GHSA-33x6-fj46-6rfh: Path traversal via AMI ListCategories allows access to outside files
Commits By Author:
-
Ben Ford (1):
- manager.c: Restrict ListCategories to the configuration directory.
Commit List:
- manager.c: Restrict ListCategories to the configuration directory.
Commit Details:
manager.c: Restrict ListCategories to the configuration directory.
Author: Ben Ford
Date: 2024-12-17
When using the ListCategories AMI action, it was possible to traverse
upwards through the directories to files outside of the configured
configuration directory. This action is now restricted to the configured
directory and an error will now be returned if the specified file is
outside of this limitation.
Resolves: #GHSA-33x6-fj46-6rfh
UserNote: The ListCategories AMI action now restricts files to the
configured configuration directory.