<html><head></head><body>The Asterisk Development Team would like to announce security releases for<br>Asterisk 13, 14 and 15, and Certified Asterisk 13.21. The available releases are<br>released as versions 13.23.1, 14.7.8, 15.6.1 and 13.21-cert3.<br><br>These releases are available for immediate download at<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases'>https://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases'>https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases</a><br><br>The following security vulnerabilities were resolved in these versions:<br><br><ul><li> AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade<br>There is a stack overflow vulnerability in the res_http_websocket.so module of<br>Asterisk that allows an attacker to crash Asterisk via a specially crafted<br>HTTP request to upgrade the connection to a websocket. The attacker’s<br>request causes Asterisk to run out of stack space and crash.<br></li></ul><br>For a full list of changes in the current releases, please see the ChangeLogs:<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.23.1'>ChangeLog-13.23.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.7.8'>ChangeLog-14.7.8</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.6.1'>ChangeLog-15.6.1</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.21-cert3'>ChangeLog-certified-13.21-cert3</a><br><br>The security advisory is available at:<br><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-009.pdf'>AST-2018-009.pdf</a><br><br>Thank you for your continued support of Asterisk!</body></html>