<html><head></head><body>The Asterisk Development Team would like to announce security releases for<br>Asterisk 13, 14 and 15, and Certified Asterisk 13.18. The available releases are<br>released as versions 13.18.5, 14.7.5, 15.1.5 and 13.18-cert2.<br><br>These releases are available for immediate download at<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases'>https://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases'>https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases</a><br><br>The following security vulnerabilities were resolved in these versions:<br><br><ul><li> AST-2017-014: Crash in PJSIP resource when missing a contact header<br>A select set of SIP messages create a dialog in Asterisk. Those SIP messages<br>must contain a contact header. For those messages, if the header was not<br>present and using the PJSIP channel driver, it would cause Asterisk to crash.<br>The severity of this vulnerability is somewhat mitigated if authentication is<br>enabled. If authentication is enabled a user would have to first be authorized<br>before reaching the crash point.<br></li></ul><br>For a full list of changes in the current releases, please see the ChangeLogs:<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.18.5'>ChangeLog-13.18.5</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.7.5'>ChangeLog-14.7.5</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.1.5'>ChangeLog-15.1.5</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.18-cert2'>ChangeLog-certified-13.18-cert2</a><br><br>The security advisory is available at:<br><br><a href='https://downloads.asterisk.org/pub/security/AST-2017-014.pdf'>AST-2017-014.pdf</a><br><br>Thank you for your continued support of Asterisk!</body></html>