The MariaDB Foundation is pleased to announce the availability of MariaDB 11.8.6, MariaDB 11.4.10, MariaDB 10.11.16 and MariaDB 10.6.25, the latest stable releases in their respective long-term series (receiving regular maintenance and support for three years from their first stable release dates, and critical security fixes as source code releases for two additional years beyond). …

Continue reading \"MariaDB 11.8.6, 11.4.10, 10.11.16 and 10.6.25 now available\"

The post MariaDB 11.8.6, 11.4.10, 10.11.16 and 10.6.25 now available appeared first on MariaDB.org.

[0.15.4] - 2026-01-19

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

• IMAP: Map HEADER SUBJECT/FROM/TO searches to SUBJECT/FROM/TO queries.
• Sieve: Update spam status on user scripts.

Changed

Fixed

• Search: Return all document ids when no filters are provided.
• Search: Filters not applied when a single message is in the account.
• IMAP: Return ALREADYEXISTS code when creating existing mailboxes.
• IMAP: Do not return quota resources if no quota is set.
• JMAP/changes: Update newState with last changeId if an invalid fromChangeId is provided.
• JMAP/CalendarIdentity: Do not update invalid calendar identities.
• AI API: Include request error details if available.

---

Check binary attestation at here

[0.15.3] - 2025-12-29

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

• Polish locale support (contributed by @mrxkp) (#2480)

Changed

Fixed

• Meilisearch: Return correct error messages when failing to create indexes (#2574)
• PostgreSQL search: Truncate emails to 650kb for full-text search indexing.
• FoundationDB search: Batch large transactions (#2567).
• Spam filter: Fix training sample size checks
• IMAP: Fix UTF7 encoding with Emojis (contributed by @dojiong) (#2564).

---

Check binary attestation at here

[0.15.2] - 2025-12-22

If you are upgrading from v0.14.x and below, this version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.
If you are upgrading from v0.15.x, replace the binary and update the webadmin.

Added

• OAuth: Add device authorization endpoint (#2225).

Changed

• Antispam: Only auto-learn spam from traps or multiple RBL hits.

Fixed

• mySQL search: Use MEDIUMTEXT field type for email body and attachments (#2544).
• PostgreSQL search: Truncate large text fields.
• ElasticSearch: Implement pagination (#2551).
• Antispam: Fix NO_SPACE_IN_FROM spam tag detection logic (#2372).
• IMAP: Fix shared folder double nesting (test suite credits to @ochnygosch) (#2358).
• JMAP: Use latest Received header in JMAP Email/import (credits to @apexskier) (#2374).
• JMAP: Return unsorted search results when the index is not ready (#2544).
• LDAP: Lowercase attribute comparison (credits to @pdf) (#2363).
• CLI: Fix same-host JMAP redirection on non-standard ports (#2271).

---

Check binary attestation at here

[0.15.1] - 2025-12-17

This version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

Changed

Fixed

• PostgreSQL: Sanitize search index values (#2533)
• Elasticsearch: Ignore resource_already_exists_exception errors when creating indexes (#2535)
• Migrate 0.13.x data (#2534)

---

Check binary attestation at here

[0.15.0] - 2025-12-16

This version includes multiple breaking changes. Please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Linear spam classifier using FTRL-Proximal and feature/cuckoo hashing.
• Meilisearch store backend implementation (#1482).
• PostgreSQL and mySQL native full-text search support.
• Multiple performance improvements and database access optimizations.
• Encryption-at-rest: Spam training privacy setting.
• Enterprise: Undelete e-mail feature now includes From/Subject/Received information.
• IMAP: Implemented new keywords and mailbox attributes described in draft-ietf-mailmaint-messageflag-mailboxattribute-13

Changed

• IMAP: Always return special use flags in responses.

Fixed

• JMAP: FileNode/set fails to delete files (#2485).
• JMAP: Return error when using blobId in JSContact and JSCalendar (#2431).
• Directory: Deletion of list or domain issues (#2415).
• MTA: Headers and body stripped from mail delivery subsystem failure notifications (#2344).
• MTA: Hooks only run if sieve script, milter or rewrite is configured (#2317).
• Autodiscover: Endpoint should be case insensitive (#2440).
• Housekeeper: Panic during DST transition (#2366).
• Import/Export: Fix import/export utility (#1882).
• Enterprise: Remove tenant admin permissions when license is invalid.

---

Check binary attestation at here

[0.14.1] - 2025-10-28

If you are upgrading from v0.13.4 and below, this version includes breaking changes to the internal directory, calendar and contacts. Please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• Autoconfig for CalDAV, CardDAV and WebDAV (#1937)

Changed

• HTTP: Remove HTTP STS preload directive.

Fixed

• Directory: Keep OTP Auth and AppPasswords unless the remote directory provides new ones (#2319)
• JMAP: Fix ContactCard/set and CalendarEvent/set destroy methods (#2308).

---

Check binary attestation at here

[0.14.0] - 2025-10-22

If you are upgrading from v0.13.4 and below, this version includes breaking changes to the internal directory, calendar and contacts. Please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• JMAP for Calendars (draft-ietf-jmap-calendars).
• JMAP for Contacts (RFC 9610).
• JMAP for File Storage (draft-ietf-jmap-filenode).
• JMAP Sharing (RFC 9670)
• CalDAV: support for supported-calendar-component-set (#1893)
• i18n: Greek language support (contributed by @infl00p)
• i18n: Swedish language support (contributed by @purung)

Changed

• Breaking Database Changes (migrated automatically on first start):
  • Internal directory schema changed.
  • Calendar and Contacts storage schema changed.
  • Sieve scripts storage schema changed.
  • Push Subscriptions storage schema changed.
• Replaced sieve.untrusted.limits.max-scripts and jmap.push.max-total with object-quota.* settings.
• Cluster node roles now allow sharding.

Fixed

• Push Subscription: Clean-up of expired subscriptions and cluster notification of changes (#1248)
• CalDAV: Per-user CalDAV properties (#2058)

---

Check binary attestation at here

[0.13.4] - 2025-09-30

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

Changed

• JMAP: Protocol layer rewrite for zero-copy deserialization and architectural improvements.

Fixed

• IMAP: Unbounded memory allocation in request parser (CVE-2025-61600 ).
• IMAP: Wrong permission checked for GETACL.
• JMAP: References to previous method fail when there are no results (#1507).
• JMAP: Enforce quota checks on Blob/copy.
• JMAP: Mailbox/get fails without accountId argument (#1936).
• JMAP: Do not return invalidProperties when email update doesn't contain changes (#1139)
• iTIP: Include date properties in REPLY (#2102).
• OIDC: Do not set username field if it is the same as the email field.
• Telemetry: Fix calculateMetrics housekeeper task (#2155).
• Directory: Always use rsplit to extract the domain part from email addresses.

---

Check binary attestation at here

[0.13.3] - 2025-09-10

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• CLI: Health checks (contributed by @Codekloeppler)

Changed

• WebDAV: Assisted discovery v2

Fixed

• iTIP: Do not send a REPLY when deleting an event that was not accepted.
• iTIP: Include event details in REPLY messages (#2102).
• iTIP: Add organizer to iMIP replies if missing to deal with MS Exchange 2010 bug.
• OIDC: Do not overwrite locally defined aliases (#2065).
• HTTP: Scan ban should only be triggered by HTTP parse errors.
• HTTP: Skip scanner fail2ban checks when the proxy client IP can't be parsed (#2121).
• JMAP: Do not allow roles to be removed from system mailboxes (#1977).
• JMAP WS: Fix panic when using invalid server url.
• SMTP: Do no send EHLO twice when STARTTLS is unavailable (#2050).
• IMAP: Allow ENABLE UTF8 in IMAPrev1.
• IMAP: Include administer permission in ACL responses.
• IMAP: Add owner rights to ACL get responses.
• IMAP: Do not auto-train Bayes when moving messages from Junk to Trash.
• IMAP/ManageSieve: Increase maximum quoted argument size (#2039).
• CalDAV: Limit recurrence expansions in calendar reports (CVE-2025-59045).
• WebDAV: Do not fix percent encoding on WebDAV FS (#2036).

---

Check binary attestation at here

[0.13.2] - 2025-07-28

If you are upgrading from v0.11.x or v0.12.x, this version includes breaking changes to the message queue and MTA configuration. Please read the UPGRADING.md file for more information on how to upgrade from previous versions.

Added

• ACME: DeSEC cloud DNS provider support (contributed by @Tyr3al).
• ACME: OVH cloud DNS provider support (contributed by @srachner).
• CalDAV Scheduling: Catalan language support (contributed by @jolupa) (#1873).
• MTA: Allow to send e-mails as group, while member of that group (#485).
• OIDC: Allow local access tokens to be used with third-party OIDC backends (#1311 stalwartlabs/webadmin#52).

Changed

• IMAP: Return OK when moving/copying non-existent messages (#670).
• IMAP: Copy flags when copying/moving messages between accounts.

Fixed

• MTA: Do not convert e-mail local parts to lowercase (#1916).
• Sieve: fileinto should override spam filter (#1917).
• JMAP: Incorrect accountId used in email set and import methods (#1777).
• WebDAV: Always return MULTISTATUS when calendar-query yields no results.
• LDAP: Only set account name if not returned in LDAP query (#1471).
• Enterprise: Invalidate logo cache when changes are made (#1856).
• Enterprise: Fix tenant quota update API.

---

Check binary attestation at here

The Asterisk Development Team would like to announce security release
Asterisk 23.2.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.2

Change Log for Release asterisk-23.2.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Asterisk 21.12.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.12.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.12.1

Change Log for Release asterisk-21.12.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Asterisk 22.8.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.2

Change Log for Release asterisk-22.8.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Asterisk 20.18.2.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.2
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.2

Change Log for Release asterisk-20.18.2

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

The Asterisk Development Team would like to announce security release
Certified Asterisk 20.7-cert9.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/certified-20.7-cert9
and
https://downloads.asterisk.org/pub/telephony/certified-asterisk

Repository: https://github.com/asterisk/asterisk
Tag: certified-20.7-cert9

Change Log for Release asterisk-certified-20.7-cert9

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 4
• Commit Authors: 2
• Issues Resolved: 0
• Security Advisories Resolved: 4
  • GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
  • GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
  • GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
  • GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

User Notes:

• ast_coredumper: check ast_debug_tools.conf permissions

  ast_debug_tools.conf must be owned by root and not be
  writable by other users or groups to be used by ast_coredumper or
  by ast_logescalator or ast_loggrabber when run as root.

Upgrade Notes:

• http.c: Change httpstatus to default disabled and sanitize output.

  To prevent possible security issues, the /httpstatus page
  served by the internal web server is now disabled by default. To explicitly
  enable it, set enable_status=yes in http.conf.

Developer Notes:

Commit Authors:

• George Joseph: (2)
• Mike Bradeen: (2)

Issue and Commit Detail:

Closed Issues:

• !GHSA-85x7-54wr-vh42: Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
• !GHSA-rvch-3jmx-3jf3: ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
• !GHSA-v6hp-wh3r-cwxh: The Asterisk embedded web server's /httpstatus page echos user supplied values(cookie and query string) without sanitization
• !GHSA-xpc6-x892-v83c: ast_coredumper runs as root, and writes gdb init file to world writeable folder; leading to potential privilege escalation

Commits By Author:

• George Joseph (2):

• Mike Bradeen (2):

Commit List:

• xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.
• ast_coredumper: check ast_debug_tools.conf permissions
• http.c: Change httpstatus to default disabled and sanitize output.
• ast_coredumper: create gdbinit file with restrictive permissions

Commit Details:

xml.c: Replace XML_PARSE_NOENT with XML_PARSE_NONET for xmlReadFile.

Author: George Joseph
Date: 2026-01-15

The xmlReadFile XML_PARSE_NOENT flag, which allows parsing of external
entities, could allow a potential XXE injection attack. Replacing it with
XML_PARSE_NONET, which prevents network access, is safer.

Resolves: #GHSA-85x7-54wr-vh42

ast_coredumper: check ast_debug_tools.conf permissions

Author: Mike Bradeen
Date: 2026-01-15

Prevent ast_coredumper from using ast_debug_tools.conf files that are
not owned by root or are writable by other users or groups.

Prevent ast_logescalator and ast_loggrabber from doing the same if
they are run as root.

Resolves: #GHSA-rvch-3jmx-3jf3

UserNote: ast_debug_tools.conf must be owned by root and not be
writable by other users or groups to be used by ast_coredumper or
by ast_logescalator or ast_loggrabber when run as root.

http.c: Change httpstatus to default disabled and sanitize output.

Author: George Joseph
Date: 2026-01-15

To address potential security issues, the httpstatus page is now disabled
by default and the echoed query string and cookie output is html-escaped.

Resolves: #GHSA-v6hp-wh3r-cwxh

UpgradeNote: To prevent possible security issues, the /httpstatus page
served by the internal web server is now disabled by default. To explicitly
enable it, set enable_status=yes in http.conf.

ast_coredumper: create gdbinit file with restrictive permissions

Author: Mike Bradeen
Date: 2026-01-15

Modify gdbinit to use the install command with explicit permissions (-m 600)
when creating the .ast_coredumper.gdbinit file. This ensures the file is
created with restricted permissions (readable/writable only by the owner)
to avoid potential privilege escalation.

Resolves: #GHSA-xpc6-x892-v83c

2026-02-04

nginx-1.28.2 stable and nginx-1.29.5 mainline versions have been released, with a fix for the SSL upstream injection vulnerability (CVE-2026-1642).

26.1 Snapshot 6 (known as 26.1-snapshot-6 in the launcher) is the sixth snapshot for Java Edition 26.1, released on February 3, 2026, which add new textures and models for the baby armadillo, bee, camel, fox, goat, llama, polar bear, and trader llama. It also includes many changes for data packs and resource packs. Full changelog: https://minecraft.wiki/Java_Edition_26.1-snapshot-6

The Asterisk Development Team would like to announce
the release of asterisk-23.2.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.2.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Sean Bright: (1)

Issue and Commit Detail:

Closed Issues:

• 1739: [bug]: Regression in 23.2.0 with regard to parsing fractional numbers when system locale is non-standard

Commits By Author:

• Sean Bright (1):

Commit List:

• asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Commit Details:

asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Author: Sean Bright
Date: 2026-01-23

Resolves: #1739

The Asterisk Development Team would like to announce
the release of asterisk-22.8.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.8.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Sean Bright: (1)

Issue and Commit Detail:

Closed Issues:

• 1739: [bug]: Regression in 23.2.0 with regard to parsing fractional numbers when system locale is non-standard

Commits By Author:

• Sean Bright (1):

Commit List:

• asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Commit Details:

asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Author: Sean Bright
Date: 2026-01-23

Resolves: #1739

The Asterisk Development Team would like to announce
the release of asterisk-20.18.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.1

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.18.1

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 1
• Commit Authors: 1
• Issues Resolved: 1
• Security Advisories Resolved: 0

User Notes:

Upgrade Notes:

Developer Notes:

Commit Authors:

• Sean Bright: (1)

Issue and Commit Detail:

Closed Issues:

• 1739: [bug]: Regression in 23.2.0 with regard to parsing fractional numbers when system locale is non-standard

Commits By Author:

• Sean Bright (1):

Commit List:

• asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Commit Details:

asterisk.c: Use C.UTF-8 locale instead of relying on user's environment.

Author: Sean Bright
Date: 2026-01-23

Resolves: #1739

Download de Windows-versie voor 5 clients.

26.1 Snapshot 5 (known as 26.1-snapshot-5 in the launcher) is the fifth snapshot for Java Edition 26.1, released on January 27, 2026. Full changelog: https://minecraft.wiki/Java_Edition_26.1-snapshot-5

Download de Windows-versie voor 5 clients.

The Asterisk Development Team would like to announce
the release of asterisk-23.2.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/23.2.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 23.2.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-23.2.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 58
• Commit Authors: 20
• Issues Resolved: 41
• Security Advisories Resolved: 0

User Notes:

• chan_websocket.conf.sample: Fix category name.

  The category name in the chan_websocket.conf.sample file was
  incorrect. It should be "global" instead of "general".

• cli.c: Allow 'channel request hangup' to accept patterns.

  The 'channel request hangup' CLI command now accepts
  multiple channel names, POSIX Extended Regular Expressions, glob-like
  patterns, or a combination of all of them. See the CLI command 'core
  show help channel request hangup' for full details.

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

• res_pjsip_messaging: Add support for following 3xx redirects

  A new pjsip endpoint option follow_redirect_methods was added.
  This option is a comma-delimited, case-insensitive list of SIP methods
  for which SIP 3XX redirect responses are followed. An alembic upgrade
  script has been added for adding this new option to the Asterisk
  database.

• taskprocessors: Improve logging and add new cli options

  New CLI command has been added -
  core show taskprocessor name

• ccss: Add option to ccss.conf to globally disable it.

  A new "enabled" parameter has been added to ccss.conf. It defaults
  to "yes" to preserve backwards compatibility but CCSS is rarely used so
  setting "enabled = no" in the "general" section can save some unneeded channel
  locking operations and log message spam. Disabling ccss will also prevent
  the func_callcompletion and chan_dahdi modules from loading.

• Makefile: Add module-list-* targets.

  Try "make module-list-deprecated" to see what modules
  are on their way out the door.

• app_mixmonitor: Add 's' (skip) option to delay recording.

  This change introduces a new 's()' (skip) option to the MixMonitor
  application. Example:
  MixMonitor(${UNIQUEID}.wav,s(3))
  This skips recording for the first 3 seconds before writing audio to the file.
  Existing MixMonitor behavior remains unchanged when the 's' option is not used.

• app_queue.c: Only announce to head caller if announce_to_first_user

  When announce_to_first_user is false, no announcements are played to the head caller

Upgrade Notes:

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:

  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

• pjsip: Move from threadpool to taskpool

  The threadpool_* options in pjsip.conf have now
  been deprecated though they continue to be read and used.
  They have been replaced with taskpool options that give greater
  control over the underlying taskpool used for PJSIP. An alembic
  upgrade script has been added to add these options to realtime
  as well.

• app_directed_pickup.c: Change some log messages from NOTICE to VERBOSE.

  In an effort to reduce log spam, two normal progress
  "pickup attempted" log messages from app_directed_pickup have been changed
  from NOTICE to VERBOSE(3). This puts them on par with other normal
  dialplan progress messages.

Developer Notes:

• ccss: Add option to ccss.conf to globally disable it.

  A new API ast_is_cc_enabled() has been added. It should be
  used to ensure that CCSS is enabled before making any other ast_cc_* calls.

• chan_websocket: Add ability to place a MARK in the media stream.

  Apps can now send a MARK_MEDIA command with an optional
  correlation_id parameter to chan_websocket which will be placed in the
  media frame queue. When that frame is dequeued after all intervening media
  has been played to the core, chan_websocket will send a
  MEDIA_MARK_PROCESSED event to the app with the same correlation_id
  (if any).

• chan_websocket: Add capability for JSON control messages and events.

  The chan_websocket plain-text control and event messages are now
  deprecated (but remain the default) in favor of JSON formatted messages.
  See https://docs.asterisk.org/Configuration/Channel-Drivers/WebSocket for
  more information.
  A "transport_data" parameter has been added to the

Commit Authors:

• Alexei Gradinari: (1)
• C. Maj: (1)
• Daouda Taha: (1)
• George Joseph: (12)
• Joe Garlick: (2)
• Joshua C. Colp: (1)
• Justin T. Gibbs: (1)
• Kristian F. Høgh: (1)
• Maximilian Fridrich: (2)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Nathaniel Wesley Filardo: (1)
• Naveen Albert: (4)
• Paul Donald: (1)
• Peter Krall: (1)
• Sean Bright: (17)
• Sven Kube: (1)
• Tinet-mucw: (2)
• phoneben: (5)
• sarangr7: (1)

The Asterisk Development Team would like to announce
the release of asterisk-22.8.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/22.8.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 22.8.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-22.8.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 57
• Commit Authors: 19
• Issues Resolved: 40
• Security Advisories Resolved: 0

User Notes:

• chan_websocket.conf.sample: Fix category name.

  The category name in the chan_websocket.conf.sample file was
  incorrect. It should be "global" instead of "general".

• cli.c: Allow 'channel request hangup' to accept patterns.

  The 'channel request hangup' CLI command now accepts
  multiple channel names, POSIX Extended Regular Expressions, glob-like
  patterns, or a combination of all of them. See the CLI command 'core
  show help channel request hangup' for full details.

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

• res_pjsip_messaging: Add support for following 3xx redirects

  A new pjsip endpoint option follow_redirect_methods was added.
  This option is a comma-delimited, case-insensitive list of SIP methods
  for which SIP 3XX redirect responses are followed. An alembic upgrade
  script has been added for adding this new option to the Asterisk
  database.

• taskprocessors: Improve logging and add new cli options

  New CLI command has been added -
  core show taskprocessor name

• ccss: Add option to ccss.conf to globally disable it.

  A new "enabled" parameter has been added to ccss.conf. It defaults
  to "yes" to preserve backwards compatibility but CCSS is rarely used so
  setting "enabled = no" in the "general" section can save some unneeded channel
  locking operations and log message spam. Disabling ccss will also prevent
  the func_callcompletion and chan_dahdi modules from loading.

• Makefile: Add module-list-* targets.

  Try "make module-list-deprecated" to see what modules
  are on their way out the door.

• app_mixmonitor: Add 's' (skip) option to delay recording.

  This change introduces a new 's()' (skip) option to the MixMonitor
  application. Example:
  MixMonitor(${UNIQUEID}.wav,s(3))
  This skips recording for the first 3 seconds before writing audio to the file.
  Existing MixMonitor behavior remains unchanged when the 's' option is not used.

• app_queue.c: Only announce to head caller if announce_to_first_user

  When announce_to_first_user is false, no announcements are played to the head caller

Upgrade Notes:

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:

  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

• pjsip: Move from threadpool to taskpool

  The threadpool_* options in pjsip.conf have now
  been deprecated though they continue to be read and used.
  They have been replaced with taskpool options that give greater
  control over the underlying taskpool used for PJSIP. An alembic
  upgrade script has been added to add these options to realtime
  as well.

• app_directed_pickup.c: Change some log messages from NOTICE to VERBOSE.

  In an effort to reduce log spam, two normal progress
  "pickup attempted" log messages from app_directed_pickup have been changed
  from NOTICE to VERBOSE(3). This puts them on par with other normal
  dialplan progress messages.

Developer Notes:

• ccss: Add option to ccss.conf to globally disable it.

  A new API ast_is_cc_enabled() has been added. It should be
  used to ensure that CCSS is enabled before making any other ast_cc_* calls.

• chan_websocket: Add ability to place a MARK in the media stream.

  Apps can now send a MARK_MEDIA command with an optional
  correlation_id parameter to chan_websocket which will be placed in the
  media frame queue. When that frame is dequeued after all intervening media
  has been played to the core, chan_websocket will send a
  MEDIA_MARK_PROCESSED event to the app with the same correlation_id
  (if any).

• chan_websocket: Add capability for JSON control messages and events.

  The chan_websocket plain-text control and event messages are now
  deprecated (but remain the default) in favor of JSON formatted messages.
  See https://docs.asterisk.org/Configuration/Channel-Drivers/WebSocket for
  more information.
  A "transport_data" parameter has been added to the

Commit Authors:

• Alexei Gradinari: (1)
• C. Maj: (1)
• Daouda Taha: (1)
• George Joseph: (12)
• Joe Garlick: (2)
• Joshua C. Colp: (1)
• Justin T. Gibbs: (1)
• Kristian F. Høgh: (1)
• Maximilian Fridrich: (2)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Nathaniel Wesley Filardo: (1)
• Naveen Albert: (4)
• Peter Krall: (1)
• Sean Bright: (17)
• Sven Kube: (1)
• Tinet-mucw: (2)
• phoneben: (5)
• sarangr7: (1)

The Asterisk Development Team would like to announce
the release of asterisk-20.18.0.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.18.0
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.18.0

This release resolves issues reported by the community
and would have not been possible without your participation.

Thank You!

Change Log for Release asterisk-20.18.0

Links:

• Full ChangeLog
• GitHub Diff
• Tarball
• Downloads

Summary:

• Commits: 57
• Commit Authors: 20
• Issues Resolved: 40
• Security Advisories Resolved: 0

User Notes:

• chan_websocket.conf.sample: Fix category name.

  The category name in the chan_websocket.conf.sample file was
  incorrect. It should be "global" instead of "general".

• cli.c: Allow 'channel request hangup' to accept patterns.

  The 'channel request hangup' CLI command now accepts
  multiple channel names, POSIX Extended Regular Expressions, glob-like
  patterns, or a combination of all of them. See the CLI command 'core
  show help channel request hangup' for full details.

• res_sorcery_memory_cache: Reduce cache lock time for sorcery memory cache populate command

  The AMI command sorcery memory cache populate will now
  return an error if there is an internal error performing the populate.
  The CLI command will display an error in this case as well.

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: Two new optional profile parameters have been added.

  • pidf_element_id which sets the value of the id attribute on the top-level
    PIDF-LO device, person or tuple elements.
  • device_id which sets the content of the <deviceID> element.
    Both parameters can include channel variables.

• res_pjsip_messaging: Add support for following 3xx redirects

  A new pjsip endpoint option follow_redirect_methods was added.
  This option is a comma-delimited, case-insensitive list of SIP methods
  for which SIP 3XX redirect responses are followed. An alembic upgrade
  script has been added for adding this new option to the Asterisk
  database.

• taskprocessors: Improve logging and add new cli options

  New CLI command has been added -
  core show taskprocessor name

• ccss: Add option to ccss.conf to globally disable it.

  A new "enabled" parameter has been added to ccss.conf. It defaults
  to "yes" to preserve backwards compatibility but CCSS is rarely used so
  setting "enabled = no" in the "general" section can save some unneeded channel
  locking operations and log message spam. Disabling ccss will also prevent
  the func_callcompletion and chan_dahdi modules from loading.

• Makefile: Add module-list-* targets.

  Try "make module-list-deprecated" to see what modules
  are on their way out the door.

• app_mixmonitor: Add 's' (skip) option to delay recording.

  This change introduces a new 's()' (skip) option to the MixMonitor
  application. Example:
  MixMonitor(${UNIQUEID}.wav,s(3))
  This skips recording for the first 3 seconds before writing audio to the file.
  Existing MixMonitor behavior remains unchanged when the 's' option is not used.

• app_queue.c: Only announce to head caller if announce_to_first_user

  When announce_to_first_user is false, no announcements are played to the head caller

Upgrade Notes:

• res_geolocation: Fix multiple issues with XML generation.

  Geolocation: In order to correct bugs in both code and
  documentation, the following changes to the parameters for GML geolocation
  locations are now in effect:

  • The documented but unimplemented crs (coordinate reference system) element
    has been added to the location_info parameter that indicates whether the 2d
    or 3d reference system is to be used. If the crs isn't valid for the shape
    specified, an error will be generated. The default depends on the shape
    specified.
  • The Circle, Ellipse and ArcBand shapes MUST use a 2d crs. If crs isn't
    specified, it will default to 2d for these shapes.
    The Sphere, Ellipsoid and Prism shapes MUST use a 3d crs. If crs isn't
    specified, it will default to 3d for these shapes.
    The Point and Polygon shapes may use either crs. The default crs is 2d
    however so if 3d positions are used, the crs must be explicitly set to 3d.
  • The geoloc show gml_shape_defs CLI command has been updated to show which
    coordinate reference systems are valid for each shape.
  • The pos3d element has been removed in favor of allowing the pos element
    to include altitude if the crs is 3d. The number of values in the pos
    element MUST be 2 if the crs is 2d and 3 if the crs is 3d. An error
    will be generated for any other combination.
  • The angle unit-of-measure for shapes that use angles should now be included
    in the respective parameter. The default is degrees. There were some
    inconsistent references to orientation_uom in some documentation but that
    parameter never worked and is now removed. See examples below.
    Examples...

    location_info = shape="Sphere", pos="39.0 -105.0 1620", radius="20"
    location_info = shape="Point", crs="3d", pos="39.0 -105.0 1620"
    location_info = shape="Point", pos="39.0 -105.0"
    location_info = shape=Ellipsoid, pos="39.0 -105.0 1620", semiMajorAxis="20"
                  semiMinorAxis="10", verticalAxis="0", orientation="25 degrees"
    pidf_element_id = ${CHANNEL(name)}-${EXTEN}
    device_id = mac:001122334455
    Set(GEOLOC_PROFILE(pidf_element_id)=${CHANNEL(name)}/${EXTEN})
  

• pjsip: Move from threadpool to taskpool

  The threadpool_* options in pjsip.conf have now
  been deprecated though they continue to be read and used.
  They have been replaced with taskpool options that give greater
  control over the underlying taskpool used for PJSIP. An alembic
  upgrade script has been added to add these options to realtime
  as well.

• app_directed_pickup.c: Change some log messages from NOTICE to VERBOSE.

  In an effort to reduce log spam, two normal progress
  "pickup attempted" log messages from app_directed_pickup have been changed
  from NOTICE to VERBOSE(3). This puts them on par with other normal
  dialplan progress messages.

Developer Notes:

• ccss: Add option to ccss.conf to globally disable it.

  A new API ast_is_cc_enabled() has been added. It should be
  used to ensure that CCSS is enabled before making any other ast_cc_* calls.

• chan_websocket: Add ability to place a MARK in the media stream.

  Apps can now send a MARK_MEDIA command with an optional
  correlation_id parameter to chan_websocket which will be placed in the
  media frame queue. When that frame is dequeued after all intervening media
  has been played to the core, chan_websocket will send a
  MEDIA_MARK_PROCESSED event to the app with the same correlation_id
  (if any).

• chan_websocket: Add capability for JSON control messages and events.

  The chan_websocket plain-text control and event messages are now
  deprecated (but remain the default) in favor of JSON formatted messages.
  See https://docs.asterisk.org/Configuration/Channel-Drivers/WebSocket for
  more information.
  A "transport_data" parameter has been added to the

Commit Authors:

• Alexei Gradinari: (1)
• C. Maj: (1)
• Daouda Taha: (1)
• Etienne Lessard: (1)
• George Joseph: (12)
• Joe Garlick: (2)
• Joshua C. Colp: (1)
• Justin T. Gibbs: (1)
• Kristian F. Høgh: (1)
• Maximilian Fridrich: (2)
• Michal Hajek: (1)
• Mike Bradeen: (2)
• Nathaniel Wesley Filardo: (1)
• Naveen Albert: (3)
• Peter Krall: (1)
• Sean Bright: (17)
• Sven Kube: (1)
• Tinet-mucw: (2)
• phoneben: (5)
• sarangr7: (1)

26.1 Snapshot 4 (known as 26.1-snapshot-4 in the launcher) is the fourth snapshot for Java Edition 26.1, released on January 20, 2026, which changes the models of baby horses, donkeys, and mules, as well as zombie and skeleton horses, adds new tags, and fixes bugs. Full changelog: https://minecraft.wiki/Java_Edition_26.1-snapshot-4

Download de Windows-versie voor 5 clients.

There is a new PHP release in town!

💾

💾

💾