Debian Security Advisory

DLA-1122-1 asterisk -- LTS security update

Date Reported:
05 Oct 2017
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 873908.
In Mitre's CVE dictionary: CVE-2017-14100.
More information:

A security vulnerability was discovered in Asterisk, an Open Source PBX and telephony toolkit, that may lead to unauthorized command execution.

The app_minivm module has an externnotify program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

For Debian 7 Wheezy, these problems have been fixed in version 1:

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: