The Asterisk Development Team would like to announce security releases for
Asterisk 16, 18 and 19, and Certified Asterisk 16.8. The available releases are
released as versions 16.24.1, 18.10.1, 19.2.1 and 16.8-cert13.
These releases are available for immediate download at
https://downloads.asterisk.org/pub/telephony/asterisk/releases
https://downloads.asterisk.org/pub/telephony/certified-asterisk/releases
The following security vulnerabilities were resolved in these versions:
-
AST-2022-004: pjproject: integer underflow on STUN message
The header length on incoming STUN messages that contain an ERROR-CODE
attribute is not properly checked. This can result in an integer underflow.
Note, this requires ICE or WebRTC support to be in use with a malicious remote
party. -
AST-2022-005: pjproject: undefined behavior after freeing a dialog set
When acting as a UAC, and when placing an outgoing call to a target that then
forks Asterisk may experience undefined behavior (crashes, hangs, etc…)
after a dialog set is prematurely freed. -
AST-2022-006: pjproject: unconstrained malformed multipart SIP message
If an incoming SIP message contains a malformed multi-part body an out of
bounds read access may occur, which can result in undefined behavior. Note,
it’s currently uncertain if there is any externally exploitable vector
within Asterisk for this issue, but providing this as a security issue out of
caution.
For a full list of changes in the current releases, please see the ChangeLogs:
ChangeLog-16.24.1
ChangeLog-18.10.1
ChangeLog-19.2.1
ChangeLog-certified-16.8-cert13
The security advisories are available at:
AST-2022-004.pdf
AST-2022-005.pdf
AST-2022-006.pdf
Thank you for your continued support of Asterisk!