<html><head></head><body>The Asterisk Development Team would like to announce security releases for<br>Asterisk 13, 16, 17 and 18, and Certified Asterisk 16.8. The available releases<br>are released as versions 13.37.1, 16.14.1, 17.8.1, 18.0.1 and 16.8-cert5.<br><br>These releases are available for immediate download at<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases'>https://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases'>https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases</a><br><br>The following security vulnerabilities were resolved in these versions:<br><br><ul><li> AST-2020-001: Remote crash in res_pjsip_session<br>Upon receiving a new SIP Invite, Asterisk did not return the created dialog<br>locked or referenced.<br></li><br><li> AST-2020-002: Outbound INVITE loop on challenge with different nonce.<br>If Asterisk is challenged on an outbound INVITE and the nonce is changed in<br>each response, Asterisk will continually send INVITEs in a loop. This causes<br>Asterisk to consume more and more memory since the transaction will never<br>terminate (even if the call is hung up), ultimately leading to a restart or<br>shutdown of Asterisk. Outbound authentication must be configured on the<br>endpoint for this to occur.<br></li></ul><br>For a full list of changes in the current releases, please see the ChangeLogs:<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.37.1'>ChangeLog-13.37.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.14.1'>ChangeLog-16.14.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-17.8.1'>ChangeLog-17.8.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.0.1'>ChangeLog-18.0.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-16.8-cert5'>ChangeLog-certified-16.8-cert5</a><br><br>The security advisories are available at:<br><br><a href='https://downloads.asterisk.org/pub/security/AST-2020-001.pdf'>AST-2020-001.pdf</a><br><a href='https://downloads.asterisk.org/pub/security/AST-2020-002.pdf'>AST-2020-002.pdf</a><br><br>Thank you for your continued support of Asterisk!</body></html>