<html><head></head><body>The Asterisk Development Team would like to announce security releases for<br>
Asterisk 16, 18 and 19, and Certified Asterisk 16.8. The available releases are<br>
released as versions 16.25.2, 18.11.2, 19.3.2 and 16.8-cert14.<br>
<br>
These releases are available for immediate download at<br>
<br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases'>https://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases'>https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases</a><br>
<br>
The following security vulnerabilities were resolved in these versions:<br>
<br>
<ul>
<li> AST-2022-001: res_stir_shaken: resource exhaustion with large files<br>
When using STIR/SHAKEN, it’s possible to download files that are not<br>
certificates. These files could be much larger than what you would expect to<br>
download.<br>
</li>
<br>
<li> AST-2022-002: res_stir_shaken: SSRF vulnerability with Identity header<br>
When using STIR/SHAKEN, it’s possible to send arbitrary requests like GET to<br>
interfaces such as localhost using the Identity header.<br>
</li>
<br>
<li> AST-2022-003: func_odbc: Possible SQL Injection<br>
Some databases can use backslashes to escape certain characters, such as<br>
backticks. If input is provided to func_odbc which includes backslashes it is<br>
possible for func_odbc to construct a broken SQL query and the SQL query to<br>
fail.<br>
</li>
</ul>
<br>
For a full list of changes in the current releases, please see the ChangeLogs:<br>
<br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.25.2'>ChangeLog-16.25.2</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.11.2'>ChangeLog-18.11.2</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-19.3.2'>ChangeLog-19.3.2</a><br>
<a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-16.8-cert14'>ChangeLog-certified-16.8-cert14</a><br>
<br>
The security advisories are available at:<br>
<br>
<a href='https://downloads.asterisk.org/pub/security/AST-2022-001.pdf'>AST-2022-001.pdf</a><br>
<a href='https://downloads.asterisk.org/pub/security/AST-2022-002.pdf'>AST-2022-002.pdf</a><br>
<a href='https://downloads.asterisk.org/pub/security/AST-2022-003.pdf'>AST-2022-003.pdf</a><br>
<br>
Thank you for your continued support of Asterisk!</body></html>