Checking here on whether Asterisk will have an update soon with a patched bundled PjProject? PJSIP has vulnerabilities as of March 1st: https://jfrog.com/blog/jfrog-discloses-5-memory-corruption-vulnerabilities-in-pjsip-a-popular-multimedia-library/
From the post:
Any projects that use the PJSIP library before version 2.12 and pass attacker-controlled arguments to any of the following APIs are vulnerable:
pjsua_player_create – filename argument must be attacker-controlled
pjsua_recorder_create – filename argument must be attacker-controlled
pjsua_playlist_create – file_names argument must be (partially) attacker-controlled
pjsua_call_dump – buffer argument capacity must be smaller than 128 bytes
The disclosed PJSIP security vulnerabilities
CVE ID Description Impact JFrog CVSS
CVE-2021-43299 Stack overflow in PJSUA API when calling pjsua_player_create Code Execution 8.1
CVE-2021-43300 Stack overflow in PJSUA API when calling pjsua_recorder_create Code Execution 8.1
CVE-2021-43301 Stack overflow in PJSUA API when calling pjsua_playlist_create Code Execution 8.1
CVE-2021-43302 Read out-of-bounds in PJSUA API when calling pjsua_recorder_create Denial of Service 5.9
CVE-2021-43303 Buffer overflow in PJSUA API when calling pjsua_call_dump Denial of Service 5.9