Asterisk 13.13-cert3, 13.14.1, 14.3.1 Now Available (Security Release)


#1

The Asterisk Development Team has announced security releases for Certified
Asterisk 13.13 and Asterisk 13 and 14. The available security releases
are released as versions 13.13-cert3, 13.14.1, and 14.3.1.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security
vulnerabilities:

  • AST-2017-001: Buffer overflow in CDR’s set user
    No size checking is done when setting the user field on a CDR. Thus,
    it is possible for someone to use an arbitrarily large string and write past
    the end of the user field storage buffer. This allows the possibility of
    remote code injection.

For a full list of changes in the current releases, please see the
ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.13-cert3
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.14.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-14.3.1

The security advisories are available at:

Thank you for your continued support of Asterisk!


#2

#3

#4