From asteriskteam at digium.com Thu Dec 14 14:32:12 2023 From: asteriskteam at digium.com (Asterisk Development Team) Date: Thu, 14 Dec 2023 13:32:12 -0700 Subject: [asterisk-security] CORRECTED asterisk release certified-18.9-cert6 Message-ID: The earlier release announcement should NOT have had any User or Upgrade notes. The Asterisk Development Team would like to announce security release Certified Asterisk 18.9-cert6. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert6 and https://downloads.asterisk.org/pub/telephony/certified-asterisk The following security advisories were resolved in this release: - [Path traversal via AMI GetConfig allows access to outside files]( https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f ) - [Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation]( https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq ) - [PJSIP logging allows attacker to inject fake Asterisk log entries ]( https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7 ) - [PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update']( https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh ) Change Log for Release asterisk-certified-18.9-cert6 ======================================== Links: ---------------------------------------- - [Full ChangeLog]( https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-certified-18.9-cert6.md) - [GitHub Diff]( https://github.com/asterisk/asterisk/compare/certified-18.9-cert5...certified-18.9-cert6) - [Tarball]( https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-certified-18.9-cert6.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) Summary: ---------------------------------------- - res_pjsip_header_funcs: Duplicate new header value, don't copy. - res_rtp_asterisk.c: Check DTLS packets against ICE candidate list - manager.c: Prevent path traversal with GetConfig. - res_pjsip: disable raw bad packet logging User Notes: ---------------------------------------- Upgrade Notes: ---------------------------------------- Closed Issues: ---------------------------------------- None -------------- next part -------------- An HTML attachment was scrubbed... URL: From asteriskteam at digium.com Thu Dec 14 14:34:16 2023 From: asteriskteam at digium.com (Asterisk Development Team) Date: Thu, 14 Dec 2023 13:34:16 -0700 Subject: [asterisk-security] CORRECTED asterisk release 21.0.1 In-Reply-To: References: Message-ID: The earlier announcement should not have had any User or Upgrade notes. The Asterisk Development Team would like to announce security release Asterisk 21.0.1. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/21.0.1 and https://downloads.asterisk.org/pub/telephony/asterisk The following security advisories were resolved in this release: - [Path traversal via AMI GetConfig allows access to outside files]( https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f ) - [Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation]( https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq ) - [PJSIP logging allows attacker to inject fake Asterisk log entries ]( https://github.com/asterisk/asterisk/security/advisories/GHSA-5743-x3p5-3rg7 ) - [PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update']( https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh ) Change Log for Release asterisk-21.0.1 ======================================== Links: ---------------------------------------- - [Full ChangeLog]( https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.0.1.md) - [GitHub Diff]( https://github.com/asterisk/asterisk/compare/21.0.0...21.0.1) - [Tarball]( https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.0.1.tar.gz) - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk) Summary: ---------------------------------------- - res_pjsip_header_funcs: Duplicate new header value, don't copy. - res_pjsip: disable raw bad packet logging - res_rtp_asterisk.c: Check DTLS packets against ICE candidate list - manager.c: Prevent path traversal with GetConfig. User Notes: ---------------------------------------- Upgrade Notes: ---------------------------------------- Closed Issues: ---------------------------------------- None -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at royaldesign.se Thu Dec 14 15:11:10 2023 From: info at royaldesign.se (Royal Design) Date: Thu, 14 Dec 2023 21:11:10 +0000 Subject: [asterisk-security] CORRECTED asterisk release certified-18.9-cert6 In-Reply-To: References: <57276b05a0c14f71aff36afe436a2fde@email.dixa.io> Message-ID: <0102018c6a2b485b-0ecc33f6-f16c-4e73-87a0-547081c7a55d-000000@eu-west-1.amazonses.com> Bäste kund, tack för att du kontaktar oss! Vi har för närvarande högt tryck på vår kundservice och vi gör vårt yttersta för att besvara ditt ärende så snabbt som möjligt. Tack för ditt tålamod och förståelse! Vanliga frågor och svar hittar ni via länken nedan: https://royaldesign.se/kundtjanst Vid avbeställningar råder vi dig till att ringa oss på: 010 750 25 21 Ha en fortsatt trevlig dag! Previous-message-reference: Previous-message-reference: <57276b05a0c14f71aff36afe436a2fde at email.dixa.io> Asterisk Development Team December 14, 21:11 GMT The earlier release announcement should NOT have had any User or Upgrade notes. The Asterisk Development Team would like to announce security release Certified Asterisk 18.9-cert6. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert6 and https://downloads.asterisk.org/pub/telephony/certified-asterisk The following security advisories were resolved in this release: - Path traversal via AMI GetConfig allows access to outside files - Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation - PJSIP logging allows attacker to inject fake Asterisk log entries - PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update' Change Log for Release asterisk-certified-18.9-cert6 <> Links: <> * Full ChangeLog * GitHub Diff * Tarball * Downloads Summary: <> * res_pjsip_header_funcs: Duplicate new header value, don't copy. * res_rtp_asterisk.c: Check DTLS packets against ICE candidate list * manager.c: Prevent path traversal with GetConfig. * res_pjsip: disable raw bad packet logging User Notes: <> Upgrade Notes: <> Closed Issues: <> None -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 3278 bytes Desc: not available URL: