similar to: AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver

The Asterisk Development Team would like to announce security releases for Asterisk 13, 15 and 16, and Certified Asterisk 13.21. The available releases are released as versions 13.27.1, 15.7.3, 16.4.1 and 13.21-cert4. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases

Asterisk Project Security Advisory - AST-2019-002 Product Asterisk Summary Remote crash vulnerability with MESSAGE messages Nature of Advisory Denial Of Service Susceptibility Remote Authenticated Sessions Severity Low

Asterisk Project Security Advisory - AST-2017-003 Product Asterisk Summary Crash in PJSIP multi-part body parser Nature of Advisory Remote Crash Susceptibility Remote Unauthenticated Sessions Severity Critical

Asterisk Project Security Advisory - AST-2016-003 Product Asterisk Summary Remote crash vulnerability when receiving UDPTL FAX data. Nature of Advisory Denial of Service Susceptibility Remote

Asterisk Project Security Advisory - AST-2014-003 Product Asterisk Summary Remote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate

Asterisk Project Security Advisory - AST-2014-003 Product Asterisk Summary Remote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate

Asterisk Project Security Advisory - AST-2018-008 Product Asterisk Summary PJSIP endpoint presence disclosure when using ACL Nature of Advisory Unauthorized data disclosure Susceptibility Remote Unauthenticated Sessions Severity Minor

Asterisk Project Security Advisory - Product Asterisk Summary Re-invite with T.38 and malformed SDP causes crash. Nature of Advisory Remote Crash Susceptibility Remote Authenticated Sessions Severity Minor

Asterisk Project Security Advisory - AST-2015-002 Product Asterisk Summary Mitigation for libcURL HTTP request injection vulnerability Nature of Advisory HTTP request injection Susceptibility Remote

Asterisk Project Security Advisory - AST-2015-002 Product Asterisk Summary Mitigation for libcURL HTTP request injection vulnerability Nature of Advisory HTTP request injection Susceptibility Remote

Asterisk Project Security Advisory - AST-2018-009 Product Asterisk Summary Remote crash vulnerability in HTTP websocket upgrade Nature of Advisory Denial Of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate

The Asterisk Development Team would like to announce security releases for Asterisk 15, 13 and 14, and Certified Asterisk 13.18 and 13.21. The available releases are released as versions 15.4.1, 13.21.1, 14.7.7, 13.18-cert4 and 13.21-cert2. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases

Asterisk Project Security Advisory - AST-2019-007 Product Asterisk Summary AMI user could execute system commands. Nature of Advisory Remote Code Execution Susceptibility Remote Authenticated Sessions Severity Minor

Asterisk Project Security Advisory - AST-2019-006 Product Asterisk Summary SIP request can change address of a SIP peer. Nature of Advisory Denial of Service Susceptibility Remote Unauthenticated Sessions Severity Minor

Asterisk Project Security Advisory - AST-2018-003 Product Asterisk Summary Crash with an invalid SDP fmtp attribute Nature of Advisory Remote crash Susceptibility Remote Authenticated Sessions Severity Minor

Asterisk Project Security Advisory - AST-2015-003 Product Asterisk Summary TLS Certificate Common name NULL byte exploit Nature of Advisory Man in the Middle Attack Susceptibility Remote Authenticated Sessions Severity Major

Asterisk Project Security Advisory - AST-2015-003 Product Asterisk Summary TLS Certificate Common name NULL byte exploit Nature of Advisory Man in the Middle Attack Susceptibility Remote Authenticated Sessions Severity Major

Asterisk Project Security Advisory - AST-2010-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Invalid parsing of ACL rules can compromise | | | security

Asterisk Project Security Advisory - AST-2010-003 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Invalid parsing of ACL rules can compromise | | | security

In Version 1.8 asterisk introduced this parameter preferred_codec_only, when set to "yes" the 200 OK to the INVITE contains 1 codec only from the available ones in the user sip profile. But in version 13.1 (I think version 11.2 also) is not working like that , it keeps sending all the codecs and sometimes both parties pick a different one causing one way audio. Example: INVITE has ulaw,