The Asterisk Development Team would like to announce security releases for
Asterisk 13, 15 and 16. The available releases are released as versions 13.28.1,
15.7.4 and 16.5.1.
These releases are available for immediate download at
https://downloads.asterisk.org/pub/telephony/asterisk/releases
The following security vulnerabilities were resolved in these versions:
- AST-2019-004: Crash when negotiating for T.38 with a declined stream
When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint
responds with a declined media stream a crash will then occur in Asterisk.
- AST-2019-005: Remote Crash Vulnerability in audio transcoding
When audio frames are given to the audio transcoding support in Asterisk the
number of samples are examined and as part of this a message is output to
indicate that no samples are present. A change was done to suppress this
message for a particular scenario in which the message was not relevant. This
change assumed that information about the origin of a frame will always exist
when in reality it may not.
For a full list of changes in the current releases, please see the ChangeLogs:
ChangeLog-13.28.1
ChangeLog-15.7.4
ChangeLog-16.5.1
The security advisories are available at:
AST-2019-004.pdf
AST-2019-005.pdf
Thank you for your continued support of Asterisk!