Asterisk 13.28.1, 15.7.4 and 16.5.1 Now Available (Security Release)

The Asterisk Development Team would like to announce security releases for
Asterisk 13, 15 and 16. The available releases are released as versions 13.28.1,
15.7.4 and 16.5.1.

These releases are available for immediate download at

https://downloads.asterisk.org/pub/telephony/asterisk/releases

The following security vulnerabilities were resolved in these versions:

  • AST-2019-004: Crash when negotiating for T.38 with a declined stream
    When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint
    responds with a declined media stream a crash will then occur in Asterisk.

  • AST-2019-005: Remote Crash Vulnerability in audio transcoding
    When audio frames are given to the audio transcoding support in Asterisk the
    number of samples are examined and as part of this a message is output to
    indicate that no samples are present. A change was done to suppress this
    message for a particular scenario in which the message was not relevant. This
    change assumed that information about the origin of a frame will always exist
    when in reality it may not.

For a full list of changes in the current releases, please see the ChangeLogs:

ChangeLog-13.28.1
ChangeLog-15.7.4
ChangeLog-16.5.1

The security advisories are available at:

AST-2019-004.pdf
AST-2019-005.pdf

Thank you for your continued support of Asterisk!