<html><head></head><body>The Asterisk Development Team would like to announce security releases for<br>Asterisk 15, 13 and 14, and Certified Asterisk 13.18 and 13.21. The available<br>releases are released as versions 15.4.1, 13.21.1, 14.7.7, 13.18-cert4 and<br>13.21-cert2.<br><br>These releases are available for immediate download at<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases'>https://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases'>https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases</a><br><br>The following security vulnerabilities were resolved in these versions:<br><br><ul><li> AST-2018-007: Infinite loop when reading iostreams<br>When connected to Asterisk via TCP/TLS if the client abruptly disconnects, or<br>sends a specially crafted message then Asterisk gets caught in an infinite<br>loop while trying to read the data stream. Thus rendering the system as<br>unusable.<br></li><br><li> AST-2018-008: PJSIP endpoint presence disclosure when using ACL<br>When endpoint specific ACL rules block a SIP request they respond with a 403<br>forbidden. However, if an endpoint is not identified then a 401 unauthorized<br>response is sent. This vulnerability just discloses which requests hit a<br>defined endpoint. The ACL rules cannot be bypassed to gain access to the<br>disclosed endpoints.<br></li></ul><br>For a full list of changes in the current releases, please see the ChangeLogs:<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.4.1'>ChangeLog-15.4.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.21.1'>ChangeLog-13.21.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.7.7'>ChangeLog-14.7.7</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.18-cert4'>ChangeLog-certified-13.18-cert4</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.21-cert2'>ChangeLog-certified-13.21-cert2</a><br><br>The security advisories are available at:<br><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-007.pdf'>AST-2018-007.pdf</a><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-008.pdf'>AST-2018-008.pdf</a><br><br>Thank you for your continued support of Asterisk!</body></html>