MITM is man in the middle, i.e. someone wearing a black hat intercepts the web request and provides their own answers (e.g. with added malware) using the result of a request to the original site as a basis).
It would be more typically used to extract credentials from a requester.
The reference to MD5 in 2016 presumably refers to the fact that cryptographic weaknesses have been found in the algorithm meaning it isn't as computationally difficult to tweak the hacked download so that it produces the same hash as it was intended that it should be. On the other hand, it is still cryptographically a lot stronger than a CRC or checksum, and is still a good test against non malicious corruption in the download.
Of course the other first principle in security is to do a risk assessment and provide security commensurate with the risk.
Most people will not validate check sums, although they may download under Windows, in which case their virus checker may well checksum it and compare against the values obtained for downloads by other people.
Presumably the OP wants a public key signed hash using SHA256, although how many people vet the list of root certificate providers in their browser, or hand that list in a totally secure way.
I suspect one of the reasons for the lack of even hashes for AsteriskNOW is that the target market isn't sophisticated enough to make use of them. AsteriskNOW is an instant gratification product.