Asterisk 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13 Now Available (Security)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Asterisk 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13 Now Available (Security)
From: "Asterisk Development Team" <asteriskteam@xxxxxxxxxx>
Date: Fri, 04 Mar 2022 20:01:59 +0000

The Asterisk Development Team would like to announce security releases for
Asterisk 16, 18 and 19, and Certified Asterisk 16.8. The available releases are
released as versions 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13.

These releases are available for immediate download at

https://downloads.asterisk.org/pub/telephony/asterisk/releases
https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases

The following security vulnerabilities were resolved in these versions:

AST-2022-004: pjproject: integer underflow on STUN message
The header length on incoming STUN messages that contain an ERROR-CODE
attribute is not properly checked. This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use with a malicious remote
party.

AST-2022-005: pjproject: undefined behavior after freeing a dialog set
When acting as a UAC, and when placing an outgoing call to a target that then
forks Asterisk may experience undefined behavior (crashes, hangs, etcâ?¦)
after a dialog set is prematurely freed.

AST-2022-006: pjproject: unconstrained malformed multipart SIP message
If an incoming SIP message contains a malformed multi-part body an out of
bounds read access may occur, which can result in undefined behavior. Note,
itâ??s currently uncertain if there is any externally exploitable vector
within Asterisk for this issue, but providing this as a security issue out of
caution.

For a full list of changes in the current releases, please see the ChangeLogs:

ChangeLog-16.24.1
ChangeLog-18.10.1
ChangeLog-19.2.1
ChangeLog-certified-16.8-cert13

The security advisories are available at:

AST-2022-004.pdf
AST-2022-005.pdf
AST-2022-006.pdf

Thank you for your continued support of Asterisk!

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-announce mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-announce

Prev by Date: Asterisk 19.2.0 Now Available
Next by Date: AST-2022-004: pjproject: integer underflow on STUN message
Previous by thread: Asterisk 19.2.0 Now Available
Next by thread: AST-2022-004: pjproject: integer underflow on STUN message
Index(es):
- Date
- Thread

[Index of Archives] [Asterisk App Development] [PJ SIP] [Asterisk SS7] [Gnu Gatekeeper] [IETF Sipping] [Info Cyrus] [ALSA User] [Fedora Linux Users] [Linux SCTP] [DCCP] [Gimp] [Yosemite News] [Deep Creek Hot Springs] [Yosemite Campsites] [ISDN Cause Codes] [Asterisk Books]