<html><head></head><body>The Asterisk Development Team would like to announce security releases for<br>
Asterisk 16, 18 and 19, and Certified Asterisk 16.8. The available releases are<br>
released as versions 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13.<br>
<br>
These releases are available for immediate download at<br>
<br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases'>https://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases'>https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases</a><br>
<br>
The following security vulnerabilities were resolved in these versions:<br>
<br>
<ul>
<li> AST-2022-004: pjproject: integer underflow on STUN message<br>
The header length on incoming STUN messages that contain an ERROR-CODE<br>
attribute is not properly checked. This can result in an integer underflow.<br>
Note, this requires ICE or WebRTC support to be in use with a malicious remote<br>
party.<br>
</li>
<br>
<li> AST-2022-005: pjproject: undefined behavior after freeing a dialog set<br>
When acting as a UAC, and when placing an outgoing call to a target that then<br>
forks Asterisk may experience undefined behavior (crashes, hangs, etc…)<br>
after a dialog set is prematurely freed.<br>
</li>
<br>
<li> AST-2022-006: pjproject: unconstrained malformed multipart SIP message<br>
If an incoming SIP message contains a malformed multi-part body an out of<br>
bounds read access may occur, which can result in undefined behavior. Note,<br>
it’s currently uncertain if there is any externally exploitable vector<br>
within Asterisk for this issue, but providing this as a security issue out of<br>
caution.<br>
</li>
</ul>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.24.1'>ChangeLog-16.24.1</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.10.1'>ChangeLog-18.10.1</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-19.2.1'>ChangeLog-19.2.1</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-16.8-cert13'>ChangeLog-certified-16.8-cert13</a><br>
<br>
The security advisories are available at:<br>
<br>
<a href='https://downloads.asterisk.org/pub/security/AST-2022-004.pdf'>AST-2022-004.pdf</a><br>
<a href='https://downloads.asterisk.org/pub/security/AST-2022-005.pdf'>AST-2022-005.pdf</a><br>
<a href='https://downloads.asterisk.org/pub/security/AST-2022-006.pdf'>AST-2022-006.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!</body></html>