Asterisk Development Team
2022-Mar-04 20:01 UTC
[asterisk-announce] Asterisk 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13 Now Available (Security)
The Asterisk Development Team would like to announce security releases for Asterisk 16, 18 and 19, and Certified Asterisk 16.8. The available releases are released as versions 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2022-004: pjproject: integer underflow on STUN message The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party. * AST-2022-005: pjproject: undefined behavior after freeing a dialog set When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc���) after a dialog set is prematurely freed. * AST-2022-006: pjproject: unconstrained malformed multipart SIP message If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, it���s currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.24.1 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.10.1 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-19.2.1 https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-16.8-cert13 The security advisories are available at: https://downloads.asterisk.org/pub/security/AST-2022-004.pdf https://downloads.asterisk.org/pub/security/AST-2022-005.pdf https://downloads.asterisk.org/pub/security/AST-2022-006.pdf Thank you for your continued support of Asterisk! -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-announce/attachments/20220304/5425c027/attachment.html>