<html><head></head><body>The Asterisk Development Team would like to announce security releases for<br>Asterisk 13, 14 and 15, and Certified Asterisk 13.18. The available releases are<br>released as versions 13.19.2, 14.7.6, 15.2.2 and 13.18-cert3.<br><br>These releases are available for immediate download at<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases'>https://downloads.asterisk.org/pub/telephony/asterisk/releases</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases'>https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases</a><br><br>The following security vulnerabilities were resolved in these versions:<br><br><ul><li> AST-2018-001: Crash when receiving unnegotiated dynamic payload<br>The RTP support in Asterisk maintains its own registry of dynamic codecs and<br>desired payload numbers. While an SDP negotiation may result in a codec using<br>a different payload number these desired ones are still stored internally.<br>When an RTP packet was received this registry would be consulted if the<br>payload number was not found in the negotiated SDP. This registry was<br>incorrectly consulted for all packets, even those which are dynamic. If the<br>payload number resulted in a codec of a different type than the RTP stream<br>(for example the payload number resulted in a video codec but the stream<br>carried audio) a crash could occur if no stream of that type had been<br>negotiated. This was due to the code incorrectly assuming that a stream of the<br>type would always exist.<br></li><br><li> AST-2018-002: Crash when given an invalid SDP media format description<br>By crafting an SDP message with an invalid media format description Asterisk<br>crashes when using the pjsip channel driver because pjproject's sdp parsing<br>algorithm fails to catch the invalid media format description.<br></li><br><li> AST-2018-003: Crash with an invalid SDP fmtp attribute<br>By crafting an SDP message body with an invalid fmtp attribute Asterisk<br>crashes when using the pjsip channel driver because pjproject's fmtp retrieval<br>function fails to check if fmtp value is empty (set empty if previously parsed<br>as invalid).<br></li><br><li> AST-2018-004: Crash when receiving SUBSCRIBE request<br>When processing a SUBSCRIBE request the res_pjsip_pubsub module stores the<br>accepted formats present in the Accept headers of the request. This code did<br>not limit the number of headers it processed despite having a fixed limit of<br>32. If more than 32 Accept headers were present the code would write outside<br>of its memory and cause a crash.<br></li><br><li> AST-2018-005: Crash when large numbers of TCP connections are closed suddenly<br>A crash occurs when a number of authenticated INVITE messages are sent over<br>TCP or TLS and then the connection is suddenly closed. This issue leads to a<br>segmentation fault.<br></li><br><li> AST-2018-006: WebSocket frames with 0 sized payload causes DoS<br>When reading a websocket, the length was not being checked. If a payload of<br>length 0 was read, it would result in a busy loop that waited for the<br>underlying connection to close.<br></li></ul><br>For a full list of changes in the current releases, please see the ChangeLogs:<br><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.19.2'>ChangeLog-13.19.2</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.7.6'>ChangeLog-14.7.6</a><br><a href='https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.2.2'>ChangeLog-15.2.2</a><br><a href='https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.18-cert3'>ChangeLog-certified-13.18-cert3</a><br><br>The security advisories are available at:<br><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-001.pdf'>AST-2018-001.pdf</a><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-002.pdf'>AST-2018-002.pdf</a><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-003.pdf'>AST-2018-003.pdf</a><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-004.pdf'>AST-2018-004.pdf</a><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-005.pdf'>AST-2018-005.pdf</a><br><a href='https://downloads.asterisk.org/pub/security/AST-2018-006.pdf'>AST-2018-006.pdf</a><br><br>Thank you for your continued support of Asterisk!</body></html>