[asterisk-users] Asterisk 11.25.3, 13.17.2, 14.6.2, Asterisk 11.6-cert18, Asterisk 13.13-cert6 Now Available (Security Release)
Asterisk Development Team
asteriskteam at digium.com
Tue Sep 19 12:34:11 CDT 2017
The Asterisk Development Team has announced security releases for Asterisk
11, 13, and 14, and for Certified Asterisk 11.6 and 13.13. The available
security release versions are 11.25.3, 13.17.2, 14.6.2, 11.6-cert18, and
13.13-cert6.
These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/
The release of these versions resolves the following security
vulnerabilities:
* AST-2017-008: Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the “nat” and “symmetric_rtp”
options allow redirecting where Asterisk sends the next RTCP report.
The RTP stream qualification to learn the source address of media always
accepted the first RTP packet as the new source and allowed what
AST-2017-005 was mitigating. The intent was to qualify a series of packets
before accepting the new source address.
For a full list of changes in the current releases, please see the
ChangeLogs:
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.25.3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.17.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.6.2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-11.6-cert18
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.13-cert6
The security advisories are available at:
* http://downloads.asterisk.org/pub/security/AST-2017-008.pdf
Thank you for your continued support of Asterisk!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170919/11726510/attachment.html>
More information about the asterisk-users
mailing list