[asterisk-users] Asterisk 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13 Now Available (Security)

Asterisk Development Team asteriskteam at digium.com
Fri Mar 4 14:01:59 CST 2022


The Asterisk Development Team would like to announce security releases for
Asterisk 16, 18 and 19, and Certified Asterisk 16.8. The available releases are
released as versions 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13.

These releases are available for immediate download at

https://downloads.asterisk.org/pub/telephony/asterisk/releases
https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases

The following security vulnerabilities were resolved in these versions:

* AST-2022-004: pjproject: integer underflow on STUN message
  The header length on incoming STUN messages that contain an ERROR-CODE
  attribute is not properly checked. This can result in an integer underflow.
  Note, this requires ICE or WebRTC support to be in use with a malicious remote
  party.

* AST-2022-005: pjproject: undefined behavior after freeing a dialog set
  When acting as a UAC, and when placing an outgoing call to a target that then
  forks Asterisk may experience undefined behavior (crashes, hangs, etc���)
  after a dialog set is prematurely freed.

* AST-2022-006: pjproject: unconstrained malformed multipart SIP message
  If an incoming SIP message contains a malformed multi-part body an out of
  bounds read access may occur, which can result in undefined behavior. Note,
  it���s currently uncertain if there is any externally exploitable vector
  within Asterisk for this issue, but providing this as a security issue out of
  caution.

For a full list of changes in the current releases, please see the ChangeLogs:

https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.24.1
https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-18.10.1
https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-19.2.1
https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-16.8-cert13

The security advisories are available at:

https://downloads.asterisk.org/pub/security/AST-2022-004.pdf
https://downloads.asterisk.org/pub/security/AST-2022-005.pdf
https://downloads.asterisk.org/pub/security/AST-2022-006.pdf

Thank you for your continued support of Asterisk!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20220304/fdb9bf87/attachment.html>


More information about the asterisk-users mailing list