The Asterisk Development Team would like to announce security releases for Asterisk 13, 15 and 16, and Certified Asterisk 13.21. The available releases are released as versions 13.27.1, 15.7.3, 16.4.1 and 13.21-cert4. These releases are available for immediate download at https://downloads.asterisk.org/pub/telephony/asterisk/releases https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases The following security vulnerabilities were resolved in these versions: * AST-2019-002: Remote crash vulnerability with MESSAGE messages A specially crafted SIP in-dialog MESSAGE message can cause Asterisk to crash. * AST-2019-003: Remote Crash Vulnerability in chan_sip channel driver When T.38 faxing is done in Asterisk a T.38 reinvite may be sent to an endpoint to switch it to T.38. If the endpoint responds with an improperly formatted SDP answer including both a T.38 UDPTL stream and an audio or video stream containing only codecs not allowed on the SIP peer or user a crash will occur. The code incorrectly assumes that there will be at least one common codec when T.38 is also in the SDP answer. For a full list of changes in the current releases, please see the ChangeLogs: https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.27.1 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-15.7.3 https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-16.4.1 https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-certified-13.21-cert4 The security advisories are available at: https://downloads.asterisk.org/pub/security/AST-2019-002.pdf https://downloads.asterisk.org/pub/security/AST-2019-003.pdf Thank you for your continued support of Asterisk!